'Open-Xchange Security Advisory 2013-07-31'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Open-Xchange Security Advisory 2013-07-31
From:       Martin Braun <martin.braun () open-xchange ! com>
Date:       2013-07-31 6:04:47
Message-ID: 1875671392.589.1375250688062.open-xchange () appsuite-dev-gw2 ! open-xchange ! com
[Download RAW message or body]

Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH

Internal reference: 27473 (Bug ID)
Vulnerability type: Phishing / Data injection
Vulnerable version: 7.2.2 and earlier
Vulnerable component: backend
Fixed version: 7.2.2-rev9, 7.2.1-rev10, 7.2.0-rev11, 7.0.2-rev14
Solution status: Fixed by Vendor
Vendor notification: 2013-07-11
Solution date: 2013-07-18
Public disclosure: 2013-07-31
CVE reference: CVE-2013-4790
CVSSv2: 5.1 (AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
To provide easy integration of third party mail accounts, Open-Xchange uses several \
auto-discovery features. Besides a generic lookup for most prominent mail providers, \
information of existing external mail accounts of other users, including users from \
other contexts, is used to discover potential mail server settings. To validate the \
discovered settings, a login attempt is performed at the discovered mail server. This \
attack becomes possible if the victim is using OX AppSuite UI, using the OX6 UI does \
not trigger this vulnerability.

Risk:
An attacker can inject incorrect host information for popular mail services by \
providing misleading server settings. These settings are then used to automatically \
validate other users external mail accounts which includes transferring their \
external mail accounts login name and password. An attacker can potentially intercept \
user credentials for external mail accounts by logging all authentication data sent \
to the rogue IMAP server.

Steps to reproduce:
As User A (attacker)
1. Login
2. Switch to Settings -> Mail and Social accounts
3. Add a new mail account, use "manual mode"
4. Enter foo@my-mail-host.io as mail address, the attackers evil IMAP servers IP or \
hostname as server name and provide valid credentials for that evil server 5. Save \
the account

As User B (victim)
1. Login
2. Switch to Settings -> Mail and Social accounts
3. Add a new mail account, use "automatic mode"
4. Enter "bar@my-mail-host.io" as address and provide your password
5. Save

Proof of concept:
A login request is performed at the evil IMAP server, not at the domain related to \
the entered mail address.

92.224.190.xxx = OX server
37.235.49.xxx = Evil IMAP server

#
T 92.224.190.xxx:40622 -> 37.235.49.xxx:143 [A]
  .F#...7......(..}.....hK..%...N..{dp..."45._r.....4>......v..Zs8...C(..D.I.V..3..YboF...... \
 ######
T 37.235.49.xxx:143 -> 92.224.190.xxx:47458 [AP]
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS \
LOGINDISABLED] Dovecot ready...                                         ##
T 92.224.190.xxx:47458 -> 37.235.49.xxx:143 [AP]
  A11 LOGOUT.. 


Solution:
Users should update to the latest available patch releases 7.2.2-rev9, 7.2.1-rev10, \
7.2.0-rev11, 7.0.2-rev14.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic