:. GOODFELLAS Security Research TEAM .: :. http://goodfellas.shellcode.com.ar .: mlsrvx.dll 1.8.9.1 ArGoSoft Mail Server Arbitrary Data Write ============================================================ Internal ID: VULWAR200707273. ----------- Introduction ------------ mlsrvx.dll is a library included in the Program ArGoSoft Mail Server software package from ArgoSoft Company. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. Summary ------- The Add & SaveToFile methods doesn't check if they're being called from the application or from malicious users. A Remote Attacker could craft a html page and write arbitrary files in the affected system. Impact ------ The vulnerability could allow malicious users to write arbitrary data on a vulnerable system. Workaround ---------- - Activate the Kill bit zero in clsid: 3F06B376-8DB8-49D1-8BF8-D4C070EFEBA5 - Unregister mlsrvx.dll using regsvr32. Timeline -------- July 27 2007 -- Bug Discovery. July 27 2007 -- POC published. Credits ------- * callAX * GoodFellas Security Research Team Technical Details ----------------- An example file will be written on the system using the Add and SaveToFile methods. Any other kind of exploit could be easily set up because the attacker can write files and put specific data into these files. An attacker could also easily encrypt the HTML file using Javascript techniques, so the code could be harder to understand. Proof of Concept ----------------