Aliant Webmail 7

7.0.13 is a web-based email system, developed by Aliant for its cellular broadband customers.

The application included a number of serious vulnerabilities which allow for full compromise of the server hosting it.

In this advisory, we discuss some of these issues and ways to exploit them in order to gain access to mailboxes hosted on the remote server.

In order to use this exploit, a low-privileged shell account on the server is necessary. For example, using hydra we can test for SSH logins:

hydra -l aliant\|aliant\|aliant\|aliant\|aliant\|aliant webmail.sabredav.org ssh

where ‘aliant’ is just one in a list of usernames. If you are lucky, the login prompt will show immediately and authentication will be required. If not, try some other passwords or use “root” instead of an actual username.

Once logged in it might be necessary to change the directory to webmail. There are two different versions of Webmail on the server (of many). One is located in /var/www, while another one – which contains more features – can be found at “/Aliant-webmail”.

It is obvious that the later version is required for this exploit to work, so it’s advised to copy it or create a link to it from the former.

In order to download the file which is located at “/aliant-webmail” change directory as follows:

cd /var/www/aliant-webmail

Once it’s downloaded, upload it to your server and make sure that you have access via web browser by visiting https://<server-ip>:8000/aliant-webmail. You should get a 404 error message which means that the file was successfully uploaded and is accessible at the specified location: /var/www/aliant-webmail.

Now we need to create a configuration file for the exploit script:

echo “auth = Login” > config.php

echo “dbconnect = sqliteconnect(‘/tmp/sqlitewebmail.db’)” >> config.php

echo “datadirectory = /home” >> config.php

echo “debugmode = on” >> config.php

echo “dbsettings = sqlitewebmail.db” >> config.php

echo “defaultuser = user@domain.com” >> config.php

make the file executable:

chmod +x webmail-pushover-exploit.sh

The final step is to download and configure the pushover tool on your phone, which should be available for Android, iOS, and WP7. The configuration of the tool is straightforward and consists of a user key, which can be obtained from https://pushover.net/ after registration, and a sound to play when the message arrives. In order for this exploit to work properly on bootup of the server you will need to add your newly created SSH public key to authorized_keys.

Now we’re ready to exploit:

./webmail-pushover-exploit.sh config.php *********************************** * WARNING: This is a webmail pushover exploit script for use against * * Aliant’s webmail servers and should be used with caution! Use at your own risk! * *********************************** Do you wish to read the rest of this article? **

Must Read: Aliant Webmail

*A fee is required to read this article. TOC Premier subscribers may log in and read this article without a fee. Articles are available for purchase only, not free. We reserve the right to alter or withdraw access at any time. For more information please see our terms of use.