[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Totemomail v4.x & v5.x - Filter Bypass & Persistent Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Totemomail v4.x & v5.x - Filter Bypass & Persistent Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 25 Apr 2016 12:05:11 +0200
Document Title:
===============
Totemomail v4.x & v5.x - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1769
Release Date:
=============
2016-04-08
Vulnerability Laboratory ID (VL-ID):
====================================
1769
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
totemomail® Encryption Gateway protects your email communication with customers
and business partners whereas
totemomail Internal Encryption secures your internal email traffic. In
combination, they become the innovative and potent
hybrid encryption solution totemomail Hybrid Encryption. totemomail Encryption
Gateway features a high level of security and
it is easy for end users and administrators alike to use. The everyday user
will have no need to think about encryption because
the software is based on a high level of automation.
(Copy of the Vendor Homepage:
http://www.totemo.com/products/mail/overview/introduction/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side
vulnerability and a
filter bypass issue in the Totemo Email Gateway v4.0 b1343 and v5.0 b512
appliance series .
Vulnerability Disclosure Timeline:
==================================
2016-02-26: Researcher Notification & Coordination (Benjamin Kunz Mejri -
Evolution Security GmbH)
2016-02-27: Vendor Notification (Totemomail Security Team)
2016-02-30: Vendor Response/Feedback (TotemomailSecurity Team)
2016-03-11: Vendor Fix/Patch (Totemomail Developer Team)
2016-04-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability and a filter bypass issue has
been discovered in the official Totemo Email Gateway v4.0 b1343 and v5.0 b512
appliance series .
The filter bypass issue allows an attacker to evade the controls of a
protection or restriction mechanism to compromise further web module context or
service functions.
The persistent validation vulnerability allows an attacker to inject own
malicious script codes on the application-side of the vulnerable
web-application module context.
The persistent input validation web vulnerability has been discovered in the
`Betreff(Subject)` and `Message (Body)` input fields of the `Neue Nachricht
(New Message)` module.
The attacker can inject malicious script codes to the message body or subject
input field. After the inject of the non exectuable context is get send to
another manager by
secure mail interaction. After the arrival of the message the receiver clicks
to `save as html`. In the moment the encoded mail context is generated as html,
the malicious
injected tag is getting visible as executable context. The injection point of
the vulnerability are the `subject` and `message body` input fields and the
execution point
occurs in the moment the target manager generated the message as html to review
or print.
The regular filter mechanism and validation does not allow to inject for
example iframes and basic script code tags like script, iframe, div to the web
input forms. As far as
an payload is included to for example the subject as listing the validation
parses and encodes the string and show only the first two characters. We
figured out that is possible
to bypass by usage of `img` script code tags with onload alert. The encoding of
the input needs to be restricted permanently against special char inputs, the
validation procedure
needs to parse and encode the input without extending the entry with a null
location entry.
Vulnerable Module(s):
[+] Posteingang - Nachricht
Vulnerable Input(s):
[+] Subject (Betreff)
[+] Message Body (Nachricht)
Affected Module(s):
[+] Message Index (main.jsp)
[+] Save as Html (Als HTML Speichern)
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged
web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1.1
Manual steps to reproduce the vulnerability ...
1. Open a new message
2. Include any random demo text first
3. Include now at least in the message body the script code payloads
4. Scroll above back to the subject and include the same payload to the subject
input field
5. Save the entry as draft
6. You can now already see that the service attached to the script code another
alt value
Note: "><img src="x" alt="null"> "><"<img src="x" alt="null">%20%20> ...
7. Now you send the message directly to a manager for reply
8. The manager received the message and treid to review it as html
9. The execution occurs in the subject and the message body of the html file
Note: The html file is wrong encoded and does not parse the values again next
to generating the html source file
10. Successful reproduce of the filter bypass issue and persistent
vulnerability!
PoC: Filter Bypass
"><"<img src="x">%20%20>"<iframe src=a>%20<iframe>
"><img src=x onerror=prompt(23);>
>"<<img src="c" onerror=alert(1)>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure filter and parse of img onload
alert script code tags that actually can bypass the filter validation of the
Betreff input fields.
After that encode and parse the print function that stream the context in html
format were the execution point occurs finally.
Restrict the input finally and disallow usage of special chars in the subject
input field to prevent persistent script code injection attacks.
In the second step a secure validation of the pgp key filename
(email|preeshare) and input is required to secure encode the vulnerable email
and name value of the certificate file.
Re-encode the editor text values to no get obviously broken format context back
like demonstrated in the picture.
Fix (temp): Do not open email via save as function in html to prevent
exploitation of the issue.
Totemo AG: The vulnerability is already patched in the newst version of the
appliance web-application to protect customers.
The update can be processed automatically or by manual interaction with the
web-service.
Security Risk:
==============
The security risk of the filter bypass issue and application-side input
validation encoding vulnerability in the totemomail Hybrid Encryption appliance
web-application.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(research@xxxxxxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied,
including the warranties of merchantability and capability for a particular
purpose. Vulnerability-Lab or its suppliers are not liable in any case of
damage,
including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised
of the possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing
limitation may not apply. We do not approve or encourage anybody to break any
licenses, policies, deface websites, hack into databases or trade with stolen
data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx -
admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically
redistribute this alert in its unmodified form is granted. All other rights,
including the use of other media, are reserved by Vulnerability-Lab Research
Team or
its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific
authors or managers. To record, list, modify, use or edit our material contact
(admin@ or research@xxxxxxxxxxxxxxxxxxxxx) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory
- [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/