Auditoría y CTFHacking Web

Bypassing Spam Titan, my first CVE

Pablo Lorenzo, 28 años, graduado en Ingeniería Informática por la Universidad de Salamanca (USAL) y Máster en Seguridad Informática en la UNIR, fue colaborador en ocasiones del blog “Follow the White Rabbit” y ponente en el “Open Internet of Things Summer School 2017” con la charla sobre hacking en IoT “How bad guys hack IoT devices” https://www.linkedin.com/in/pablolorenzopinar

Hi all,

Today I will share with you a vulnerability I discovered one year ago on Spam Titan (https://www.titanhq.com/spamtitan) from Titan HQ (https://www.titanhq.com/).
This tool is used to filter spam, phishing and malware emails albeit the vulnerability found allowed us to bypass this Spam Titan filter feature. Therefore, an attacker would be able to make a “web tampering attack” by modifying some of the parameters on the URL requests because the tool would not be validating properly.

The vulnerability is classified by OWASP organization as: “A1 2017: Injection”:
“Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent
to an interpreter as part of a command or query. The attacker’s hostile data can deceive the
interpreter into executing unintended commands or accessing data without proper authorization.”
“An application is vulnerable to attack when:
• User-supplied data is not validated, filtered, or sanitized by the application.”
Source: OWASP Top 10 2017 https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

First of all, I will summarise how Spam Titan tool works.
If we have installed Spam Titan in one of our servers, when we receive a suspicious email, it will be blocked by the tool automatically. Afterwards, we will receive a quarantine report from Spam Titan to our corporate email, as in the picture below:

On this email, we would be able to click on delete, deliver or whitelist the dodgy email. Once we choose and click any option, we will be sending an URL request with the selected option to our Spam Titan server.

The Spam Titan Quarantine Report email is sent regularly but we can adjust the frequency to: daily, weekly, annually or never (also sending the selected option through an URL request)

Out of curiosity, I sent the same phishing email to different users and I realized all of them received a report with the same deliver token ID for the same blocked suspicious email (for the delivered option URL request).

So, I asked myself, what would happen if:

  1. I send to myself a phishing email.
  2. Then select the option: “never receive a report email from Spam Titan” and copy the URL request, to use it against a list of all the company email users.
  3. Finally, take the URL request sent to me on my Spam Titan report when I am choosing the option “Deliver”, to allow deliver the same phishing email to all users without being blocked or discovered.

Well… I tried it, and it worked. I will show you how it did with a proof of concept:

This is an example of the request we could use to never receive a Spam Titan Quarantine Report (taken from the Spam Titan Quarantine Report email over the option: “never receive reports”):

hxxps://hostOrSubdomainWhereSpamTitanIs.com/quarantine.php?email=plorenzo@myCompany.com&action=setperiod&period=n&ver=3&language=en_US

It is quite straightforward, we just need to know where Spam Titan is hosted in your company, an email of a user to select the period “n” (never) and send the URL request. Now, even if the user receives a suspicious email, they will never be alerted through any email.

The attack can be automatized to stop sending all quarantine reports to all the users we want. Example of script/pseudocode:

 for emailAddress in listOfCompanyUserMailsIWantAttack
                SendRequest(“hxxps://hostOrSubdomainWhereSpamTitanIs.com/quarantine.php?email=” + emailAddress + ”&action=setperiod&period=n&ver=3&language=en_US”)
end for 

The interesting part comes when we send a dodgy email to ourselves. Then, we would receive the quarantine report and over the deliver option, we would be able to see the following URL request format:

hxxps:// hostOrSubdomainWhereSpamTitanIs.com/quarantine.php?secret_id=uTAkq0WwSjPF&mail_id=Jc0F8fWtMly8&action=release&msgtype=S&ver=3&language=en_US&email=internalAttackerEmail@myCompany.com

The parameters “secret_id” and “email_id” aren’t unique tokens for the blocked email on the quarantine report. The problem here is that Spam Titan always assigns just one token for each new email, so if another user received exactly the same suspicious email, Spam Titan assigns the same Token ID for it. Which means, if I send to me a phishing email, click deliver option on the report, copy that URL request and token IDs, I would be able to send the same deliver request to deliver the same email to all of them (previously we should have blocked all the users quarantine report notifications and then, send them the phishing email).

Example of script/pseudocode:

 for emailAddress in listOfCompanyUserMailsIWantAttack
                SendRequest(“hxxps:// hostOrSubdomainWhereSpamTitanIs.com/quarantine.php?secret_id=uTAkq0WwSjPF&mail_id=Jc0F8fWtMly8&action=release&msgtype=S&ver=3&language=en_US&email=emailAddress”)
end for 

This attack works perfectly, even if the attacker sends the requests externally. The only thing an attacker needs is the domain name where Spam Titan is hosted and some user emails of the company.

When I discovered the vulnerability, I emailed Titan HQ team to inform them about the issue and they fixed it by implementing new tokenized IDs for the links on the version 7.01 on the reports and improving the way they validate the inputs. An internal release note was also sent to all users as you can see in the following image:

Additionally, I asked for a CVE number and it should be published soon on CVE-2018-15136

Thanks for reading, I hope you enjoyed it!

Pablo Lorenzo.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Los datos introducidos se guardarán en nuestra base de datos como parte del comentario publicado, como se indica en la política de privacidad.