GroupWise 5.5 User Mailbox Authentication Vulnerability

Core Security Advisory
https://www.coresecurity.com

Date Published: 2001-06-26

Advisory ID: CORE-2001-0626

Bugtraq ID: None currently assigned.

CVE Name: None currently assigned.

Title: GroupWise 5.5 User Mailbox Authentication Vulnerability

Class: Architectural Problem

Remotely Exploitable: Yes

Locally Exploitable: Yes

*Vulnerability Description*

GroupWise is Novell's truly integrated messaging, Groupware and document management product. It combines document management, e-mail, group calendaring and scheduling, task management, imaging and workflow in one tightly integrated package.

When the Post Office mailboxes are accessed through a network share it is possible, by patching Groupwise's client software, to get access to any user's mailbox (including the administrator) without knowing its password.

This is possible because the password authentication is done by the client software. It could also be possible to write a specific program to access the mailboxes without the need of Groupwise's client application.

The attacker only needs to have read access to the Post Office database files located in the network share. This is the case for every user that already has a valid email account on the attacked Post Office.

*Vulnerable Packages/Systems*

- GroupWise 5.5

*Solution/Vendor Information/Workaround*

Contact the vendor for a fix.

*Credits*

This vulnerability was discovered by Alberto Solino and Juliano Rizzo of Core Security, Buenos Aires, Argentina.

*Technical Description - Exploit/Concept Code*

GroupWise is Novell's truly integrated messaging, Groupware and document management product. It combines document management, e-mail, group calendaring and scheduling, task management, imaging and workflow in one tightly integrated package.

As described in "GroupWise Post Office Concepts" (http://developer.novell.com/research/appnotes/1996/january/02/03.htm) a Groupwise Post Office is where data like address book, messages, and files is stored. It contains mailboxes for a set of network users. The users on the post office send and receive messages through their mailboxes.

Physically, a post office is a directory structure on a network file server.
The directory structure contains sub-directories and databases that store messages and the information used to distribute the messages.

This is a typical Post Office directory structure:

O:\POST
WPHOST.DB Address Book

<OFUSER>
<OFMSG> Message store Directories
<OFFILES>

<OFVIEWS>
<OFNOTIFY>
<OFWIN40> Client Application Directories
<OFDOS40>
<OFMAC40>

<WPCSIN>
<WPCSOUT> Message Queue Directories
<OFWORK>

The OFUSER directory holds user databases (also called mailboxes). Each user has a database in this directory named USERxxx.DB. The xxx corresponds to three unique letters assigned to identify files in the post office that belong to a specific user. These letters are assigned by the Admin Program when the user is first created. The OFMSG directory is where the messages are actually stored, the USERxxx.DB files only contain pointers to these databases. Finally, the OFFILES directory contains all attachments larger than 2k.

When a user reads a message, the client application looks in the user's USERxxx.db for a pointer associated with the message that tells it where the message is actually stored inside the OFMSG Directory.

GroupWise's client software can access the Post Office through a TCP/IP connection or by directly accessing the Post Office directory via a network share.

In the latter case, the client accesses the different mailbox files as normal files following the sequence described above. Every user needs to supply its username and password in order to access its mailbox.

The problem is that the user authentication is performed by the client software, this means that by patching the client application to recognize any password as valid, it is possible for an attacker to read the mailbox of any user on the system knowing only the username (including the admin's mailbox).

It could be also possible to get access to the messages without even using the client software by accessing the FLAIM mailboxes databases directly using a custom build program.

The problem presented here is an architectural problem. Since the mailboxes are accessible by every user, the data should be stored in a user-dependant way. For example, the USERxxx.DB and MSGxx.db databases could be encrypted using the user's password as the encryption key. In this way, a patch as the one described above wouldn't suffice to perform the attack since the password (they encryption key) isn't known by the attacker.

However, this could present administrative problems, for example, if a user loses its password, its messages won't be accessible anymore since the key used to encrypted is lost too. This could be solved by storing somewhere else the user's passwords encrypted using a key defined by the administrator, but this could also present privacy problems. Other solutions like these are possible along with its tradeoffs.

*DISCLAIMER*

The contents of this advisory are copyright (c) 2001 Core Security and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: groupwise5.5_mailboxes_advisory.txt,v 1.4 2003/04/23 18:55:52 carlos Exp $