Swascan Offensive Security Team has identified 1 vulnerability on Alt-n Security Gateway product, the vulnerability was found during a Penetration Test.
Alt-n develops and manufactures products and solutions for companies to help them be more safe against phishing attacks, malwares and much more, Security Gateway accomplishes that goal giving protection from external/internal email threats.
Swascan worked together with Alt-n in order to fix this vulnerability.
Swascan’s Cyber Security Team found an important vulnerability on: Security Gateway
|Unauthenticated registration key disclosure through XML Injection||7.5 High||AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N|
In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.
Unauthenticated registration key disclosure through XML Injection
In Alt-n Security Gateway product, a malicious actor could inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. In this way the XML parser fails the validation process disclosing information such as kind of protection used (2FA), admin email and product registration keys.
Proof of Concept
The following POC will inject an arbitrary XML argument in the processed XML retrieving the SecurityGateway configuration through the error message:
# curl -kis “http://<target>/SecurityGateway.dll?view=login&redirect=true&9OW4L7RSDY=1”
The result of the previous curl is the following:
An attacker can use the information retrieved to try to authenticate as admin user through brute force attacks, password guessing or using compromised credentials, (since the admin email address used is known). The product registration keys can be compromised as well.
The application should not trust user input and avoid incorporating inside the XML arbitrary URL parameters and/or sanitize the input by encoding the characters “<>” with the corresponding entities “< and >”.
Alt-n released a patch for the MDaemon software, reported in the references below.
- 17 February 2022: Vulnerabilities discovered
- 17 February 2022: CVE-ID requested at MITRE
- 17-February-2022: Vendor contacted by email (1st time, no response)
- 18-February-2022: CVE-ID assigned
- 25-February-2022: Vendor contacted by email (2nd time, no response)
- 25-February-2022: Vendor contacted by email (3rd time, vendor responded)
- 08-March-2022: Vendor responded and released an update
- 04-April-2022: Vulnerability disclosed
- 05-April-2022: Issued CVE-ID CVE-2022-25356