[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Open-Xchange Security Advisory 2013-07-31
From: Martin Braun <martin.braun () open-xchange ! com>
Date: 2013-07-31 6:04:47
Message-ID: 1875671392.589.1375250688062.open-xchange () appsuite-dev-gw2 ! open-xchange ! com
[Download RAW message or body]
Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH
Internal reference: 27473 (Bug ID)
Vulnerability type: Phishing / Data injection
Vulnerable version: 7.2.2 and earlier
Vulnerable component: backend
Fixed version: 7.2.2-rev9, 7.2.1-rev10, 7.2.0-rev11, 7.0.2-rev14
Solution status: Fixed by Vendor
Vendor notification: 2013-07-11
Solution date: 2013-07-18
Public disclosure: 2013-07-31
CVE reference: CVE-2013-4790
CVSSv2: 5.1 (AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
To provide easy integration of third party mail accounts, Open-Xchange uses several \
auto-discovery features. Besides a generic lookup for most prominent mail providers, \
information of existing external mail accounts of other users, including users from \
other contexts, is used to discover potential mail server settings. To validate the \
discovered settings, a login attempt is performed at the discovered mail server. This \
attack becomes possible if the victim is using OX AppSuite UI, using the OX6 UI does \
not trigger this vulnerability.
Risk:
An attacker can inject incorrect host information for popular mail services by \
providing misleading server settings. These settings are then used to automatically \
validate other users external mail accounts which includes transferring their \
external mail accounts login name and password. An attacker can potentially intercept \
user credentials for external mail accounts by logging all authentication data sent \
to the rogue IMAP server.
Steps to reproduce:
As User A (attacker)
1. Login
2. Switch to Settings -> Mail and Social accounts
3. Add a new mail account, use "manual mode"
4. Enter foo@my-mail-host.io as mail address, the attackers evil IMAP servers IP or \
hostname as server name and provide valid credentials for that evil server 5. Save \
the account
As User B (victim)
1. Login
2. Switch to Settings -> Mail and Social accounts
3. Add a new mail account, use "automatic mode"
4. Enter "bar@my-mail-host.io" as address and provide your password
5. Save
Proof of concept:
A login request is performed at the evil IMAP server, not at the domain related to \
the entered mail address.
92.224.190.xxx = OX server
37.235.49.xxx = Evil IMAP server
#
T 92.224.190.xxx:40622 -> 37.235.49.xxx:143 [A]
.F#...7......(..}.....hK..%...N..{dp..."45._r.....4>......v..Zs8...C(..D.I.V..3..YboF...... \
######
T 37.235.49.xxx:143 -> 92.224.190.xxx:47458 [AP]
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS \
LOGINDISABLED] Dovecot ready... ##
T 92.224.190.xxx:47458 -> 37.235.49.xxx:143 [AP]
A11 LOGOUT..
Solution:
Users should update to the latest available patch releases 7.2.2-rev9, 7.2.1-rev10, \
7.2.0-rev11, 7.0.2-rev14.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic