NOTE: all the vulnerabilities discussed in this article were responsible disclosed to Google back in January 2010.
While driving an initiative on 'Testing the Enterprise Security Infrastructure', I've been looking sometime at the beginning of the year to assess some SaaS (Software-as-a-Service) enterprise e-mail security solutions. Thus, I came across Google Message Security (powered by Postini). Bundled with Google Apps Premiere, you can easily get your hands on the Google e-mail security services for 50$/year - a real bargain :)
After setting my Google Apps Premiere account, there it was. From the Apps account, two Google Message Security services were available: the Security Console (Admin console) - used to manage the organization resources (domains, users, filtering rules, etc), and the Message Center - used by the end-user to manage the quarantined e-mails and filtering settings. The Message Center comes in two flavors: Message Center II is the latest version (set by default for end-users). However, the older user interface known as Message Center Classic was still accessible to an authenticated user (after tweaking the URL a bit).
The original plan was to refresh an older security test plan I used for assessing various products from Barracuda Networks and Symantec. However, I quickly realized that I got much more that I bargained for. The Google Message Security SaaS was vulnerable to various security vulnerabilities, including multiple persistent and reflected Cross-Site Scripting (XSS), improper error handling, and the most interesting of all, SQL Injection.
And here they are!
A. Multiple XSS vulnerabilities in Security Console
First, a persistent XSS vulnerability identified to affect /exec/admin_orgs resource allows injecting and persistently storing malicious scripting code via setconf-neworg parameter.
The attack persisted malicious scripting code into the name of a new organization. When queried for details, the malicious scripting code successfully executed in the client's browser.
Multiple reflected XSS vulnerabilities were also identified for /exec/admin_list and /exec/admin_auth resources:
- in ORGS and USERS > Organization
- in ORGS and USERS > Users
- in ORGS and USERS > Authorization
POST /exec/admin_auth?action=display_summary HTTP/1.1
... and so on.
B. Multiple reflected XSS in Message Center Classic
Following the submission of incorrectly formatted e-mails for Approved and Blocked senders lists, injected malicious code was included in the
invalid e-mail format error messages displayed to the user.
POST /exec/MsgSet?action=change_MsgSettings HTTP/1.1
The result is shown below:
C. Reflected XSS in Message Center II
Manipulation of source_uri parameter of /msgctr/message_display resource allowed reflected XSS attacks.
D. Improper Error Handling in Security Console
Manipulation of beg_date and end_date parameters of /exec/adminRep resource returned the following error:
There was a problem processing your request. Please click the Back button and try again.
If you continue to see the problem, please report it to your system administrator or support contact with the following information.
Time: Thu Jan 21 23:53:08 2010 GMT Request ID: 20593BC6-06E8-11DF-93DD-E3695903FD3E
Request URL: /exec/adminRep?action=displayReport&targetorgid=100059876&cat=out_virus&report=sender&beg_date=20100120%27&end_date=20100120&org_agg=orgh
Message: function(): not a valid date at /product/build/folder1/folder2/component line 137.
The returned error disclosed details about the component implementing the functionality, it's location on the server, and technology being used. It could be handy for devising further attacks ;)
E. SQL Injection in Message Center II
Manipulation of sort_direction parameter of /junk_quarantine/process and /trash/process resources allowed successful SQL Injection attacks against Message Center II service.
POST https://mc-s200.postini.com/app/msgctr/junk_quarantine/process HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------26418279386900
Content-Disposition: form-data; name="_submitted_junk_quarantine_form"
Content-Disposition: form-data; name="range_menu"
Content-Disposition: form-data; name="sort_menu"
Content-Disposition: form-data; name="sort_direction"
The extra apostrophe used for the initial test caused the following system error:
Apart of providing details on the database engine used, error type and middleware settings, the returned error confirmed the service was vulnerable to SQL Injection. Additional test cases were devised to confirm the issue.
As confirmed by Google Security Team, such vulnerabilities were affecting Google Message Security release 6_24 (January), 6_25 (Feb), 6_26 (March) and 6_27 (April). Additional details are available in MVSA-10-001, MVSA-10-002 and MVSA-10-003 security advisories.