December 3, 2020

GHSL-2020-136: Unsafe deserialization vulnerabilties in Lumisoft .NET and Lumisoft MailServer

Jaroslav Lobačevski

Summary

Lumisoft .NET & Lumisoft MailServer is extensively using deserialization of user supplied data into a DataSet object.

Microsoft recently released a security patch CVE-2020-1147 to limit the impact of reading untrusted XML into a DataSet. However its official statement is:

The DataSet.ReadXml and DataTable.ReadXml methods are not safe when used with untrusted input. We strongly recommend that consumers instead consider using one of the alternatives outlined later in this document. ...and... .NET has released security updates to mitigate some issues such as information disclosure or remote code execution in DataSet.ReadXml and DataTable.ReadXml. The .NET security updates may not provide complete protection against these threat categories. Consumers should assess their individual scenarios and consider their potential exposure to these risks.

Product

Lumisoft .NET & Lumisoft MailServer for .NET Core 2.0.

Tested Version

The latest changeset to the date 7a3a66e.

Details

Issue 1: Deserialization of user supplied data in UpdateSettings handler

Lumisoft MailServer is listening on all network interfaces on port 5252 for incoming connections. The default configuration allows only localhost connections.
One of the supported unauthenticated commands is UPDATESETTINGS in a form of:
UPDATESETTINGS <virtualServerID> <dataLength><CRLF><xml> that is handled by the following code:

MemoryStream ms = new MemoryStream();
this.TcpStream.ReadFixedCount(ms,Convert.ToInt32(args[1]));
ms.Position = 0;
DataSet ds = new DataSet();
...
ds.ReadXml(ms);

Impact

This issue may lead to pre-auth Remote Code Execution (RCE). If the endpoint is not accessible from remote addresses and the server is running as a privileged process it may lead to Local Privilege Escalation (LPE).

Issue 2: Unsafe deserialization of data returned by the server

Lumisoft User API libraries deserialize data returned from a server in multiple places like DecompressDataSet, RecyleBin.Bind, System_Settings.Bind, etc.

Impact

This issue may lead to pre-auth Remote Code Execution (RCE) on the client side in a Person in the Middle (PitM) scenario or if the user is tricked into connecting to a malicious server.

Coordinated Disclosure Timeline

  • 2020-07-28: Report sent to maintainer.
  • 2020-07-28: Maintainer acknowledges.
  • 2020-10-26: 90 days from when the report was sent, disclosure deadline expires.
  • 2020-10-29: Notification sent to maintainer. No reply.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-136 in any communication regarding this issue.