SSRF vulnerability led to plain text information dump
Iranian researchers earned a $2,500 bug bounty payout after leveraging a flaw in email server software Zimbra to access clear text credentials stored in popular app Cafe Bazaar.
Cafe Bazaar is a big holding in Iran and has several companies, including the eponymous Android app marketplace, which is similar to Google Play and has roughly 40 million Persian-speaking users.
Researcher Yashar Shahinzadeh and a friend, known as @binb4sh on Twitter, detailed how they exploited a server-side request forgery (SSRF) vulnerability in Zimbra to expose employee’s plain text information, such as passwords.
After conducting a port scan on Cafe Bazaar’s webmail access, they discovered numerous open ports.
They found they were able to communicate with the Memcached port without authentication, and also discovered that email addresses were saved by Zimbra ¬in the cache.
Zimbra saves the communication protocol scheme, the username, and the backend server IP address.
The security researchers also found they were able to add, modify, or delete the cache data.
They decided to test for SSRF vulnerabilities by changing the backend server IP address – in this case to the attacker’s server – to redirect traffic.
The SSRF was successful, allowing them to perform a hacker-in-the-middle attack to steal plain text information such as credentials and emails.
Shahinzadeh told The Daily Swig: “By leveraging the vulnerability, an attacker can dump all passwords of the users in plain text. So, the impact is disclosing the passwords of all users of the vulnerable company.”
After reporting the vulnerability to Cafe Bazaar’s bug bounty program, Shahinzadeh said the company responded quickly and patched the flaw in less than an hour. They were awarded $2,500.
The researcher added: “Any Zimbra mail server which has the Memcached port open is vulnerable to this attack vector.
“Note that this is not a Zimbra vulnerability, this is a misconfiguration of open port, so the patch is closing/protecting the Memcached port.”