DarC KonQuesT IceWarp 3.4.5 XSS Release
Product: IceWarp Webmail 3.4.5
Vendor: IceWarp Software - E-mail: info@icewarp.com
Web: www.icewarp.com
Problem: Cross Site Scripting
Severity: Mild
Operating System(s): Tested against Win2k
Discovered: October 29, 2002
Vendor Notified: October 29, 2002
Public Release: Now - November 11, 2002
Preface:
Okay, here's what happened...before my original release of the Icewarp
3.3.3 Cross-Site Scripting bug I contacted IceWarp about it. After a bit of
discussion, one of the developers established contact with me again and
stated that he would fix the problem. And I quote:
"Hi DarC
Thanks for the explanation. I'll fix it :)
Cheers"
The above from developer Jakub Klos. Unfortunately he either
misunderstood or just did not fix the problem. When the mail server I use
updated to IceWarp version 3.4.5 I noticed the bug still existed.
After contacting IceWarp with the bug (again) I was notified that it had
been sent to their developers (again) and later received the following reply
(again):
"Hi,
Problem solved..
Thanks" -this from Adam Paclt
Hmm....seem familiar??
Anyway, I'm not going to go over the entire advisory again because it is
EXACTLY the same, no difference. So, I've attached the original advisory
below.
Cleaning up loose ends:
1) YES! I KNOW! This is very difficult to exploit, I knew/know/will
continue to know this. No need to contact me and let me know...because I
KNOW!
2) You, yeah you behind the anonymous remailer harping on me and my
handle...True, I hide behind a handle, but YOU hide behind an anonymous
remailer. ESAD you fucking hypocrite.
Later on, and have fun,
-DarC KonQuesT
Ringleader -(DiR)-
United States of America
Greets: Christina, HaXXuS 101, oO Bizurke Oo, st3v3.
---------------------------------------------ORIGINAL ADVISORY
BELOW-------------------------------------------
DarC KonQuesT XSS Release-
Product: IceWarp Webmail 3.3.3 (tested, others possibly vulnerable)
Vendor: IceWarp Software - E-mail: info@icewarp.com
Web: www.icewarp.com
Problem: Cross Site Scripting
Severity: Mild-Moderate
Operating System(s): Tested against Win2k but all others if objects are
handled the same way.
Discovered: July 28, 2002
Vendor Notified: August 4, 2002
Public Release: Now - August 24
Background:
IceWarp Webmail is a nice webmail daemon that "is a full featured top
quality web mail solution which works with any mail server and lets you
access your email office remotely from any browser on the Internet or your
local network" (IceWarp.com). Web Mail runs on Windows XP/2000/NT/9X/ME,
supports SMTP/POP3/IMAP4/HTTP Internet protocols and has a spell checker,
remote web administration, any attachment support, private and shared
address books, groups, signatures, multiple mail server support and many
other powerful options (IceWarp.com). According to their site it was first
officially released on March 6, 2000.
Problem:
IceWarp has a nifty little feature where your address book appears as a
dropdown menu next to the message's "To:", "Cc:", and "Bcc:" fields which
allows sending a message to a contact in your address book very easy. When
IceWarp loads your address book into these dropdown menus it doesn't
sanitize the "Full Name" segment so malicous code (or any code, I don't
care) can be placed into this field and it will be executed whenever the
user loads the page to write a new message. However, since the dropdown menu
appears thrice (beside each field) the code will execute 3 times.
One problem with providing a link to automatically enter this data into the
address book is that IceWarp uses ID numbers to keep track of the logged in
user. If you do not know this number then IceWarp lists the user as not
logged in. Therefore it becomes more difficult to execute a XSS attack. This
number is randomly generated (I think), and changes everytime the user logs
in. This number can be seen in the URL or many places in the code of the
page.
Code from inbox:
http://<IceWarp-using-site>:32000/mail/readmail.html?folder=inbox&get=1&id=e
68972360786c64b3aa14dc0f60b1aa6
You can see the ID number listed beside 'id='
Exploit (almost):
A URL can be crafted easily which will fill in the values on the 'Add
Address' page just by viewing the code. The one I used is as follows:
NOTE: I used some encoding for the spaces but none was necessary for the
page I tested on. However, encoding the entire URL would be a good way to
disguise the intentions of it.
http://<Icewarp-Using-Site>:32000/mail/addressaction.html?id=<USER
ID#>&newaddress=1&addressname=<script>alert('DarCNesS%20Overwhelms')</script
>&addressemail=DarC_KonQuesT@phreaker.net
The problem with this is that it will go to the page (if you know the ID#),
and fill in the required fields. However it will not submit the form. I'll
leave this for someone else to figure out. An easier way would be if the
page used CGI or PHP where the form could be submitted solely through the
URL and then redirect to another site etc...
But, as far as I have found, all the transactions are handled by an
executable file rather than scripts.
Another problem is that instead of cookies IceWarp uses ID numbers which
reduces the chances of our URL working (because we need to have their ID
number and they must still be in that session).
Vendor Action:
I notified IceWarp about 1 A.M. and Adam of IceWarp replied by noon. His
response was composed of the following:
"Hello Cameron, Ok.. I send your notice to our developers. Thanks"
and that was the last I've heard from them.
::shrug:: at least he was prompt about it.
Aftermath:
It seems to me this has all the normal dangers of a XSS hole so listing
them seems pointless (I'm sure we've all seen them). If someone develops a
way to submit the form through the URL or by bypassing the form altogether
I'd definitly like to see how you did it. Same thing if someone expands this
idea to include other/larger possibilites.
Later on, and have fun,
- DarC KonQuesT -(DiR)-
Greets:
DarCLinG, V3ga, st3v3, Jenn, Christina, ACES, and M. Howard
"Congress shall make no law abridging the freedom of sXXXch, or the right of
the people peaceably to XXXemble, and to peXXXion the government for a
redress of grievances." -- Marc Rotenberg
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.408 / Virus Database: 230 - Release Date: 10/24/02
