Friday, 20 May 2016

TrendMicro ScanMail for Microsoft Exchange (SMEX) predictable session token - CVE-2015-3326

It's time for another advisory (CVE-2015-3326), a simple one, for a vulnerability which can be found quickly and trivially. For those of you who just want to give a glance at the post, I suggest to directly watch the picture which says it all!

The following vulnerability was discovered on TrendMicro SMEX (ScanMail for Microsoft Exchange) 10 SP2 but it affects other versions as well.

While surfing the SMEX web administrative interface using a web proxy, I have noticed something in the HTTP request - the session token itself and its format, a number.

After observing a significant number of logins, the session token was always represented with an number composed of minimum 4 digits and maximum 5 digits, as shown in the screen shot below:


Although the observed session tokens were never generated sequentially, the lack of a cryptographically strong PRNG for the session identifier, allows a malicious user to trivially guess the token. This attack can be easily automated.

For example, in Burp proxy, the cool feature of Intruder combined with a "number" payload and even a single thread would suffice to guess a valid session token in a reasonable time.

By targeting a "protected" page of SMEX administrative interface as a baseline request for Intruder and by examining the HTTP response, it is possible to infer whether the session token is valid or not.

Once a valid token is obtained, a malicious user can impersonate another user's session on the system and gain unauthorised access to the SMEX administrative interface.


Trend Micro Reference:
CVE reference:
Session Prediction: