[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Trend Micro Hosted Email Security (HES) - Email Interception and Direct Object Reference
- From: Patrick Webster <patrick AT osisecurity.com.au>
- Subject: [FD] Trend Micro Hosted Email Security (HES) - Email Interception and Direct Object Reference
- Date: Thu, 24 Aug 2017 10:10:28 +1000
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) firstname.lastname@example.org header.s=google header.b=C4w9qH2O; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 126.96.36.199 as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=osisecurity.com.au
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-unsubscribe:list-id:precedence:subject:to:message-id :date:from:mime-version:dkim-signature:delivered-to :arc-authentication-results; bh=O0/J1zS2ymeNCFsdRp2GQDHd2CNbONX9T5HWCQ4Dr5s=; b=dJ17PhlrTKWVJVc+mRkn1jyKYrDJ07WENxJFwXMtr8nNgHb518UO3MHFLa5yrUwHUZ ndTkGaA9Vu5F03vwcpR2jiIcagg5S0XbYUz9iCCTcFecaiGuMJ9gkslJ/m4s7DM1ZBso qZu/Ky+t26zhHNqyg4W+LfKYbjDBSTd3MVc7shB12tx8PzmK5H267o5Qu8Xw/bK2/lzc +G4SSY2wR/yhl42BGHOSedfOBk3d18BsDCKMGvAgYxRgaRRVGABaP1EzFO+ZflmBNujB rGVeqfz/+EQOzFRKtdPXE5lT6LcnNfX2SIP3XPWg+frPLkYNm0PIgs4vJx2GNhEYLLTH DdFw==
- Arc-seal: i=1; a=rsa-sha256; t=1503651289; cv=none; d=google.com; s=arc-20160816; b=qBrzguLfHC3bZqSh6c29IvEXRhuZw56p2OiIc4i7OKMUTl5y3RwEy/FAmqb0IR++33 YJenTYBVJh4EXeZlJEB64M6DyCstPQiw0NkSkQ1fuc9/j2+HAlJbNRF6rfqoVKA2IgyC ofxFN/uM7iMqq5OWx+qQfMfat1j+Xq0k6ry0qkLZ6XTntu1qr/WwCruisDyCtMbNPJJq t5ugrJ6HKuh2wDyMzVOXlUHf1NHSxw2OAEzPy0OQtgC8NomxMFcZLKQSDskLIJoB1+3o uPwqksiNJicLzvL257flo5tdx8RT2XjD/Ks0dBjt7y3TfZ/UGUfaPRal1FSaS0mUf/DJ sJqQ==
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: bugtraq AT securityfocus.com, fulldisclosure AT seclists.org
Trend Micro Hosted Email Security (HES)
Hosted Email Security before January 2012.
Two vulnerabilities were discovered.
The first allowed any HES user to intercept in-transit emails through
the Trend Micro Hosted Email Security cloud environment. The platform
allowed anyone to register an account online instantly and test the
solution. Users were required to 'activate' (enter) a domain name,
then update their MX records to enable filtering. However, to enable
migration testing, rules became active immediately without waiting for
MX records to be updated. This was intended, however the HES
environment itself was shared across all customers - therefore anyone
could create a policy for a domain which wasn't theirs or a
pre-existing customers and start intercepting, modifying / rewriting
content, BCC copying emails, quarantining or deleting messages which
came from AT domain.com or to AT jackeddomain.com if passed through HES.
1) Register a free Trend Micro HES account.
2) Activate a domain name you want to filter - be creative (gmail.com,
mac.com, apple.com, microsoft.com, ibm.com, plus banks / military /
large ISPs / government domains worked exceptionally well!)
3) While the domain has not been valid, create a new policy rule, e.g.
"BCC all messages" to your personal email address.
4) Watch your inbox run out of disk space.
Interception revealed Sender, Recipient, Subject and in some cases
entire email contents with attachments if applicable.
Email Interception Statistics
7,000 emails in 3 hours.
21,000 emails in 13 hours.
78,500 emails in 24 hours.
96,000 emails in 30 hours.
1,221,535 emails in 8 days.
The second vulnerability allowed any HES authenticated customer to
view or change other cloud user's rules via Direct Object Reference.
Discovered by Patrick Webster
09-Dec-2011 - Interception issue discovered during testing. Reported to vendor.
10-Dec-2011 - Developers investigating interception report.
11-Dec-2011 - Direct object policy rule access / edit discovered and
reported to vendor.
12-Dec-2011 - Vulnerabilities confirmed.
16-Dec-2011 - Direct object policy rule issue fixed in production.
23-Dec-2011 - Interception fix pushed to production environment.
27-Dec-2011 - Final intercepted email received (numbering several million).
28-Dec-2011 - Delivery Status Notification success/failures continue
to be received.
11-Jan-2012 - Delivery Status Notification fix pushed to production.
Last DSN received.
24-Aug-2017 - Public disclosure for historical purposes as an example
of early cloud adoption issues facing the industry.
About OSI Security:
OSI Security is an IT security consulting company based in Sydney,
Australia. We provide managed internal and external penetration
testing and ethical hacking services, web application testing,
vulnerability assessments, wireless site audits, vendor product
assessments, secure network design, forensics and risk mitigation
We can be found at https://www.osisecurity.com.au/
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/