Cenzic 232 Patent
Paid Advertising
web application security lab

IMAP Vulnerable to XSS

About once a month or less I am actually amazed by something in web application security. Most of the time it’s when two technologies that are otherwise not connected suddenly are used against one another. Well this time is no different. Wade sent me a link to a paper he wrote and published but for some reason never made it out into the world. Well this is one of those few papers that amazed me so I’m making it my job to tell people about it. Wade has demonstrated that IMAP is vulnerable to cross site scripting. Wow.

Paraphrasing his paper - he basically explains that by using post you can execute commands against a IMAP server and because it doesn’t understand what you are talking about it actually echos back errors. Those errors are run by the browser and poof, you are now executing JavaScript. This is pretty cool stuff. It’s rare you see HTTP attacking other services for the soal purpose of running JavaScript so that you can gain read access to a host - but there you have it.

I think the most dangerous potential for attack is actually in the situation where a single machine has multiple services on it (HTTP and IMAP in particular) and IMAP is actually hidden behind a firewall (RFC1918). Now the bad guy can get the user who sits behind the firewall using a post submission, connecting them to the IMAP port on the victim webserver. The webserver is immune to XSS in this example, but IMAP is not. IMAP echos back the JavaScript which tricks your browser into requesting data from a different port on the same host (no cross domain restrictions) via XMLHttpRequest. Thereby gaining read access to the host.

Wow. Pretty cool stuff, and pretty straight forward when you think about it. I don’t know if IMAP 4 is vulnerable but IMAP 3 is, so additional testing might be required. This is yet another example of how the internet is basically swiss cheese and by using two completely unrelated protocols you can gain access to an otherwise hardened machine using the administrator’s credentials or from behind the firewall.

4 Responses to “IMAP Vulnerable to XSS”

  1. Martin Straka Says:

    Great research Wade!

    This attack vector is not working for IMAP2 because there are some ports hardcoded in browser, which cannot be user, for example 25, 110, 142 (imap2)

    But the idea was opposite:) not the XSS in browser, but for example possibility to send email using SMTP.

    http://www.remote.org/jochen/sec/hfpa/index.html
    http://www.mozilla.org/projects/netlib/PortBanning.html

    I think that this will result in blocking the IMAP3 (4) port in browsers.

  2. RSnake Says:

    Agreed… now I wonder what that will mean for other technologies. Why would the browser be allowed to connect to anything other than a set of standard ports? I guess the thinking is you should be allowed to connect to anything that you put a webserver on… but since 220 isn’t a standard web port, it would stand to reason that it should be limited only to 21, 80, 443 and non-reserved ports.

  3. RSnake Says:

    Some additional links that are relevant that some people asked me to reference:

    http://archive.cert.uni-stuttgart.de/archive/bugtraq/1998/10/msg00046.html
    http://eyeonsecurity.org/papers/Extended%20HTML%20Form%20Attack.htm

  4. m3hd1 Says:

    hi to my master .
    plz give us a Tutorial how to use imap4 or bindshell with BeEF .
    Tnx