Totemomail 4.x / 5.x - Persistent Cross-Site Scripting

ID 1337DAY-ID-25019
Type zdt
Reporter bot
Modified 2016-04-25T00:00:00


Exploit for jsp platform in category web applications

                                            Document Title:
Totemomail v4.x & v5.x - Filter Bypass & Persistent Vulnerability
Product & Service Introduction:
totemomail® Encryption Gateway protects your email communication with customers and business partners whereas 
totemomail Internal Encryption secures your internal email traffic. In combination, they become the innovative and potent 
hybrid encryption solution totemomail Hybrid Encryption. totemomail Encryption Gateway features a high level of security and 
it is easy for end users and administrators alike to use. The everyday user will have no need to think about encryption because 
the software is based on a high level of automation.
(Copy of the Vendor Homepage: )
Vulnerability Disclosure Timeline:
2016-02-26: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-02-27: Vendor Notification (Totemomail Security Team)
2016-02-30: Vendor Response/Feedback (TotemomailSecurity Team)
2016-03-11: Vendor Fix/Patch (Totemomail Developer Team)
2016-04-13: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
A persistent input validation web vulnerability and a filter bypass issue has been discovered in the official Totemo Email Gateway v4.0 b1343 and v5.0 b512 appliance series .
The filter bypass issue allows an attacker to evade the controls of a protection or restriction mechanism to compromise further web module context or service functions.
The persistent validation vulnerability allows an attacker to inject own malicious script codes on the application-side of the vulnerable web-application module context.
The persistent input validation web vulnerability has been discovered in the `Betreff(Subject)` and `Message (Body)` input fields of the `Neue Nachricht (New Message)` module.
The attacker can inject malicious script codes to the message body or subject input field. After the inject of the non exectuable context is get send to another manager by 
secure mail interaction. After the arrival of the message the receiver clicks to `save as html`. In the moment the encoded mail context is generated as html, the malicious 
injected tag is getting visible as executable context. The injection point of the vulnerability are the `subject` and `message body` input fields and the execution point 
occurs in the moment the target manager generated the message as html to review or print.
The regular filter mechanism and validation does not allow to inject for example iframes and basic script code tags like script, iframe, div to the web input forms. As far as 
an payload is included to for example the subject as listing the validation parses and encodes the string and show only the first two characters. We figured out that is possible 
to bypass by usage of `img` script code tags with onload alert. The encoding of the input needs to be restricted permanently against special char inputs, the validation procedure 
needs to parse and encode the input without extending the entry with a null location entry.
Vulnerable Module(s):
                [+] Posteingang - Nachricht
Vulnerable Input(s):
                [+] Subject (Betreff)
                [+] Message Body (Nachricht)
Affected Module(s):
                [+] Message Index (main.jsp)
                [+] Save as Html (Als HTML Speichern)
Proof of Concept (PoC):
The vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open a new message
2. Include any random demo text first
3. Include now at least in the message body the script code payloads
4. Scroll above back to the subject and include the same payload to the subject input field
5. Save the entry as draft
6. You can now already see that the service attached to the script code another alt value
Note: "><img src="x" alt="null"> "><"<img src="x" alt="null">%20%20> ...
7. Now you send the message directly to a manager for reply
8. The manager received the message and treid to review it as html
9. The execution occurs in the subject and the message body of the html file
Note: The html file is wrong encoded and does not parse the values again next to generating the html source file
10. Successful reproduce of the filter bypass issue and persistent vulnerability!
PoC: Filter Bypass
"><"<img src="x">%20%20>"<iframe src=a>%20<iframe>
"><img src=x onerror=prompt(23);>
>"<<img src="c" onerror=alert(1)>
Solution - Fix & Patch:
The vulnerability can be patched by a secure filter and parse of img onload alert script code tags that actually can bypass the filter validation of the Betreff input fields.
After that encode and parse the print function that stream the context in html format were the execution point occurs finally.
Restrict the input finally and disallow usage of special chars in the subject input field to prevent persistent script code injection attacks.
In the second step a secure validation of the pgp key filename (email|preeshare) and input is required to secure encode the vulnerable email and name value of the certificate file.
Re-encode the editor text values to no get obviously broken format context back like demonstrated in the picture.
Fix (temp): Do not open email via save as function in html to prevent exploitation of the issue.
Totemo AG: The vulnerability is already patched in the newst version of the appliance web-application to protect customers.
The update can be processed automatically or by manual interaction with the web-service.

# [2018-02-18]  #