Aliant Webmail 7

Aliant Webmail developed 7.0.13 as a web-based email solution for its cellular broadband clients.

The application contained many significant flaws that might lead to the server hosting being wholly hacked.

We’ll go over some of these problems and how to exploit them to access mailboxes housed on the remote server in this advisory.

A low-privileged shell account on the server is required to use this attack. For example, we can use hydra to check for SSH logins:

hydra|aliant|aliant|aliant|aliant|aliant|aliant|aliant|aliant|aliant|aliant|aliant webmail.sabredav.org ssh

Where ‘aliant’ is one of many possible usernames, if you’re lucky, the login prompt will appear right away, prompting you to authenticate. If that doesn’t work, try a different password or use “root” instead of a username.

It may be essential to change the directory to Webmail once logged in. There are two versions of Webmail (of many). One may be found at /var/www, but another can be found in “/Aliant-webmail” and has additional features.

Because the latter version is required for this attack to operate, it’s best to copy it or establish a link to it from the earlier version.

To download the file stored at “/aliant-webmail,” go to the following directory:

• cd /var/www/aliant-webmail
• After you’ve downloaded it, upload it to your server and check that you can access it using a web browser by going to https://server-ip>:8000/aliant-webmail. A 404 error notice signifies the file was successfully uploaded and is now available at the requested location: /var/www/aliant-webmail.

Now we must create the exploit script’s configuration file:

1. echo “auth = Login” > config.php
2. echo “dbconnect = sqliteconnect(‘/tmp/sqlitewebmail.db’)” >> config.php
3. echo “datadirectory = /home” >> config.php
4. echo “debugmode = on” >> config.php
5. echo “dbsettings = sqlitewebmail.db” >> config.php
6. echo “defaultuser = user@domain.com” >> config.php
7. Make the file executable by following these steps:
8. chmod +x webmail-pushover-exploit.sh

The last step is to install and set up the pushover tool on your phone, which should be accessible for Android, iOS, and Windows Phone 7. The tool’s configuration is simple and comprises a user key, which may be obtained after registration at https://pushover.net/, and a sound to play when the message arrives. You must add your freshly created SSH public key to authorized keys for this exploit to work correctly on server bootup.

Now we’re ready to exploit:

./webmail-pushover-exploit.sh config.php ******************************************************************************************************************* WARNING: This is a webmail pushover exploit script for Aliant’s webmail servers, and it should be used with caution! Make use of it at your own risk! * ******************************************************************************************************** Do you want to continue reading this article? **

Must Read: Aliant Webmail

*To read this article, you must pay the price. This article is available to TOC Premier subscribers for free. Reports are only available for purchase and are not available for free. At any time, we have the right to change or remove access. Please visit our terms of service for more information.