Vulners
Lucene search
Totemomail v4.x & v5.x - Bypass & Persistent Vulnerability
🗓️ 07 Apr 2016 00:00:00Reported by Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]Type 
vulnerlab🔗 www.vulnerability-lab.com👁 37 Views
Document Title:
===============
Totemomail v4.x & v5.x - Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1769
Release Date:
=============
2016-04-07
Vulnerability Laboratory ID (VL-ID):
====================================
1769
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
totemomail® Encryption Gateway protects your email communication with customers and business partners whereas
totemomail Internal Encryption secures your internal email traffic. In combination, they become the innovative and potent
hybrid encryption solution totemomail Hybrid Encryption. totemomail Encryption Gateway features a high level of security and
it is easy for end users and administrators alike to use. The everyday user will have no need to think about encryption because
the software is based on a high level of automation.
(Copy of the Vendor Homepage: http://www.totemo.com/products/mail/overview/introduction/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side vulnerability and a
filter bypass issue in the Totemo Email Gateway appliance series .
Vulnerability Disclosure Timeline:
==================================
2016-02-26: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-02-27: Vendor Notification (Totemomail Security Team)
2016-02-30: Vendor Response/Feedback (TotemomailSecurity Team)
2016-03-11: Vendor Fix/Patch (Totemomail Developer Team)
2016-04-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Low
Technical Details & Description:
================================
A persistent input validation web vulnerability and a filter bypass issue has been discovered in the
official Totemo Email Gateway appliance series. The filter bypass issue allows
an attacker to evade the controls of a protection or restriction mechanism to compromise further web
module context or service functions. The persistent validation vulnerability allows an attacker to
inject own malicious script codes on the application-side of the vulnerable web-application module context.
The persistent input validation web vulnerability has been discovered in the `Betreff(Subject)` and
`Message (Body)` input fields of the `Neue Nachricht (New Message)` module. The attacker can inject
malicious script codes to the message body or subject input field. After the inject of the non
exectuable context is get send to another manager by secure mail interaction. After the arrival of
the message the receiver clicks to `save as html`. In the moment the encoded mail context is
generated as html, the malicious injected tag is getting visible as executable context. The injection
point of the vulnerability are the `subject` and `message body` input fields and the execution point
occurs in the moment the target manager generated the message as html to review or print.
The regular filter mechanism and validation does not allow to inject for example iframes and basic
script code tags like script, iframe, div to the web input forms. As far as an payload is included
to for example the subject as listing the validation parses and encodes the string and show only
the first two characters. We figured out that is possible to bypass by usage of `img` script code
tags with onload alert. The encoding of the input needs to be restricted permanently against
special char inputs, the validation procedure needs to parse and encode the input without
extending the entry with a null location entry.
Vulnerable Module(s):
[+] Posteingang - Nachricht
Vulnerable Input(s):
[+] Subject (Betreff)
[+] Message Body (Nachricht)
Affected Module(s):
[+] Message Index (main.jsp)
[+] Save as Html (Als HTML Speichern)
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
1.1
Manual steps to reproduce the vulnerability ...
1. Open a new message
2. Include any random demo text first
3. Include now at least in the message body the script code payloads
4. Scroll above back to the subject and include the same payload to the subject input field
5. Save the entry as draft
6. You can now already see that the service attached to the script code another alt value
Note: "><img src="x" alt="null"> "><"<img src="x" alt="null">%20%20> ...
7. Now you send the message directly to a manager for reply
8. The manager received the message and treid to review it as html
9. The execution occurs in the subject and the message body of the html file
Note: The html file is wrong encoded and does not parse the values again next to generating the html source file
10. Successful reproduce of the filter bypass issue and persistent vulnerability!
PoC: Filter Bypass
"><"<img src="x">%20%20>"<iframe src=a>%20<iframe>
"><img src=x onerror=prompt(23);>
>"<<img src="c" onerror=alert(1)>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure filter and parse of img onload alert script code tags that
actually can bypass the filter validation of the Betreff input fields. After that encode and parse the
print function that stream the context in html format were the execution point occurs finally. Restrict
the input finally and disallow usage of special chars in the subject input field to prevent persistent
script code injection attacks. In the second step a secure validation of the pgp key filename
(email|preeshare) and input is required to secure encode the vulnerable email and name value
of the certificate file. Re-encode the editor text values to no get obviously broken format context
back like demonstrated in the picture.
Fix (temp): Do not open email via save as function in html to prevent exploitation of the issue.
Totemo AG: The vulnerability is already patched in the 4.0 b1343 and 5.0 b512 versions of the appliance web-application to
protect customers. The update can be processed automatically or by manual interaction with the web-service.
Security Risk:
==============
The security risk of the filter bypass issue and application-side input validation encoding vulnerability in the totemomail Hybrid Encryption appliance web-application.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or [email protected]) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Apr 2016 00:00Current
7.4High risk
Vulners AI Score7.4