Re[2]: [VulnWatch] IMail Account hijack through the Web Interface

From: Obscure (obscure@eyeonsecurity.net)
Date: 03/12/02

• Previous message: Ahmet Sabri ALPER: "[ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability"
• In reply to: Zillion: "Re: [VulnWatch] IMail Account hijack through the Web Interface"
• Next in thread: Henrik Larsson: "Re: IMail Account hijack through the Web Interface"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 12 Mar 2002 08:10:40 +0100
From: Obscure <obscure@eyeonsecurity.net>
To: Zillion <zillion@safemode.org>

Hello Zillion,

Monday, March 11, 2002, 5:11:43 AM, you wrote:

Z> Hi all,

Z> I think this was already covered for Imail 7.04 in the following
Z> advisory:

Z> http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00082.html

Z> The workaround given by Ipswitch was:

Z> Turn off the "ignore source address in security check" option. This isn't
Z> a bullet proof workaround (think of proxies,nat etc) but can help to
Z> prevent abuse of this issue.

Z> zillion

Seems like this is old news ;)

As an additional workround:
In my testing, when using HTTPS (secure mode) to access your IMail
account, the referer is not being sent, meaning that clients using
HTTPS should not be vulnerable. This was tested with Internet Explorer 6
and Mozilla 0.9.8 against the tool at:
http://eyeonsecurity.net/tools/referer.html

Z> On Sun, 10 Mar 2002, Obscure wrote:

>> Advisory Title: IMail Account hijack through the Web Interface
>> Release Date: 10/03/2002
>> Application: IMail Server
>>
>> Platform: Windows NT4
>> Windows 2000
>> Windows XP
>>
>> Version: 7.05 or earlier
>>
>> Severity: Malicious users can easily access other people's accounts.
>>
>> Author: Obscure^ [ obscure@eyeonsecurity.net ]
>>
>> Vendor Status: Informed on 21 Feb 2002, a fix was already issued to
>> customers.
>>
>>
>> Web:
>>
>> http://www.eyeonsecurity.net
>> http://www.ipswitch.com
>>
>>
>>
>> Background.
>>
>> (extracted from
>> http://www.ipswitch.com/Products/IMail_Server/index.html)
>>
>> The 20-Minute E-Mail Solution.
>> IMail Server is an easy-to-use, web-enabled, secure and
>> spam-resistant
>> mail server for Windows NT/2000/XP. It is the choice
>> of businesses, schools, and service providers.
>>
>> A Great Price-Performer.
>> Unlike Microsoft® Exchange and Lotus® Notes, which are costly to
>> deploy and cumbersome to administer, IMail Server is easy
>> to install and easy to manage. It has a simple pricing structure and
>> is scalable to thousands of users per server.
>>
>>
>> Problem.
>>
>> When a user logs in to his account through the Web interface, the
>> session authentication is maintained via a unique URL.
>> By sending an html e-mail which includes an image at another server,
>> an attacker can easily get the unique URL via the
>> referer field in the HTTP header.
>>
>>
>> Exploit Example.
>>
>> http://eyeonsecurity.net/tools/referer.html
>> A CGI script sends an e-mail with an attached image, pointing to
>> another CGI script which sends the referer URL to the
>> attacker.
>>
>>
>> Fix
>>
>> Upgrade to IMail 7.06. The fixed version checks for the IP. The
>> authentication now relies on the unique URL and the IP
>> address. Of course users who log in to IMail Web interface from
>> behind
>> proxies, are still vulnerable.
>>
>>
>> ps. this same vulnerability effects Excite WebMail. The Excite guys
>> did not contact me back.
>>
>>
>> Disclaimer.
>>
>> The information within this document may change without notice. Use
>> of
>> this information constitutes acceptance for use in an AS IS
>> condition. There are NO warranties with regard to this information.
>> In no event shall the author be liable for any consequences
>> whatsoever
>> arising out of or in connection with the use or spread of this
>> information. Any use of this information lays within the user's
>> responsibility.
>>
>>
>> Feedback.
>>
>> Please send suggestions, updates, and comments to:
>>
>> Eye on Security
>> mail : obscure@eyeonsecurity.net
>> web : http://www.eyeonsecurity.net
>>
>>

-- 
Best regards,
 Obscure                            mailto:obscure@zero6.net

---

• Previous message: Ahmet Sabri ALPER: "[ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability"
• In reply to: Zillion: "Re: [VulnWatch] IMail Account hijack through the Web Interface"
• Next in thread: Henrik Larsson: "Re: IMail Account hijack through the Web Interface"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [VulnWatch] IMail Account hijack through the Web Interface ... I think this was already covered for Imail 7.04 in the following ... The workaround given by Ipswitch was: ... > mail server for Windows NT/2000/XP. ... > session authentication is maintained via a unique URL. ... (Bugtraq) Re: IMail Account hijack through the Web Interface ... This (among other things in IMail v. 7.04 and earlier) was reported to ... >mail server for Windows NT/2000/XP. ... >session authentication is maintained via a unique URL. ... >ps. this same vulnerability effects Excite WebMail. ... (Bugtraq) Re: Routing with Imail ... If Imail uses an LDAP directory and IMAP4 mailboxes, ... Migration Wizard that ships with Exchange 2003. ... You will select this option from the Migration Wizard, ... > His actual e-mails are on an IMail server. ... (microsoft.public.exchange.connectivity) IPSwitch IMail ADVISORY/EXPLOIT/PATCH ... "In 1995, Ipswitch released IMail Server, the first ... as none of the registers point to our payload on ret ... right over our chosen ret (call/jmp esp).. ... (Bugtraq) [NT] IPSwitch IMail Server IMail Client Buffer Overflow ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IPSwitch IMail Server IMail Client Buffer Overflow ... Client "is provided for those who are administering IMail Server on the NT ... (Securiteam)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)