Uploaded image for project: 'Kopano Groupware Core'
  1. Kopano Groupware Core
  2. KC-1107

client: data corruption after exceeding 31485 named properties

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 8.5.6, 8.6.1
    • Component/s: None
    • Security Level: Public
    • Labels:
      None
    • Environment:
      Misc combinations of ZCP and KC (see bodytext)

      Description

      Assigned ID: CVE-2018-8951

      Products affected

      • Kopano Groupware Core before 8.5.6/8.6.1
      • Zarafa Collaboration Platform, all versions. The product is discontinued since 2016-04.
      • Zarafa Outlook Connector, all versions. The product is discountinued since 2016-04.

      Summary

      An attacker may send a crafted e-mail message to Kopano mail systems to cause objects (mail, contacts, calendar, etc.) edited afterwards to suffer from data corruption.

      Details

      A client can, within specs, ask the server to store (property name, tag_id) mappings via the getIDsFromNames RPC call. The id is autogenerated by the server and monotonically increasing. Due to limitations in the client, it cannot handle values above 31485. The implementation is lacking suitable detection of this condition, and so, because there is no error handling, the client may accidentally access (and overwrite) other properties it did not intend to.

      For example, a client intending to access the user-defined property #35583 of, say, an e-mail, the client would instead accidentally access the message body. ((35583 + 0x8500 + 1) & 0xffff = 0x1000; 0x8501 is SERVER_NAMED_OFFSET, and MAPI only offers 16 bits for the tag.) This way, the client retrieves the wrong field, and would write to the wrong field, thereby possibly truncating other data.

      (Object permissions are not stored as properties, so no user will accidentally broaden or narrow permissions to his objects when modifying them.)

      The table that holds these (name <=> id) mappings is shared by all users served by one kopano-server process instance. Therefore, one user can also affect all the others.

      Temporal mitigation:

      • 8.4.0–8.4.6: No mitigation. Install the update.
      • 8.5.0–8.5.5: In dagent.cfg, set indexed_headers to a long randomly generated word (30 chars or so) to limit indexing to that unguessable string you chose. This sort of closes the SMTP/LMTP vector until such a time that an update can be installed.

      Trigger/Attack vector

      • Authenticated users may connect to kopano-server over its RPC transport (port 236, 237, and/or Unix pipe) and issue the getIDsFromNames RPC and fill up the server's mapping table.
      • Unauthenticated users may connect to the kopano-dagent service via LMTP (port 2003) and deliver one or more crafted e-mails to any known recipient. dagent will process every X-Header into a named property and then use the aforementioned getIDsFromNames RPC.
      • Unauthenticated users may connect to an SMTP server in front of kopano-dagent.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jengelhardt Jan Engelhardt (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: