OSI Security - Penetration Testing & Web Application Security Consultants
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers

Trend Micro Hosted Email Security (HES) - Email Interception and Direct Object Reference

​Date:
24-Aug-2017

Product:
Trend Micro Hosted Email Security (HES)

Versions affected:
Hosted Email Security before January 2012.

Vulnerability:

Two vulnerabilities were discovered.

The first allowed any HES user to intercept in-transit emails through the Trend Micro Hosted Email Security cloud environment. The platform allowed anyone to register an account online instantly and test the solution. Users were required to 'activate' (enter) a domain name, then update their MX records to enable filtering. However, to enable migration testing, rules became active immediately without waiting for MX records to be updated. This was intended, however the HES environment itself was shared across all customers - therefore anyone could create a policy for a domain which wasn't theirs or a pre-existing customers and start intercepting, modifying / rewriting content, BCC copying emails, quarantining or deleting messages which came [email protected] or [email protected] if passed through HES.

Reproduction steps:

1) Register a free Trend Micro HES account.
2) Activate a domain name you want to filter - be creative (gmail.com, mac.com, apple.com, microsoft.com, ibm.com, plus banks / military / large ISPs / government domains worked exceptionally well!)
3) While the domain has not been valid, create a new policy rule, e.g. "BCC all messages" to your personal email address.
4) Watch your inbox run out of disk space.

Interception revealed Sender, Recipient, Subject and in some cases entire email contents with attachments if applicable.

Email Interception Statistics
###
7,000 emails in 3 hours.
21,000 emails in 13 hours.
78,500 emails in 24 hours.
96,000 emails in 30 hours.
1,221,535 emails in 8 days.
###

The second vulnerability allowed any HES authenticated customer to view or change other cloud user's rules via Direct Object Reference.

E.g.

https://us.emailsec.trendmicro.com/editRule.imss?ruleid=44281 
https://us.emailsec.trendmicro.com/editRule.imss?ruleid=44282
https://us.emailsec.trendmicro.com/editRule.imss?ruleid=44283 etc

Credit:
Discovered by Patrick Webster

Disclosure timeline:
09-Dec-2011 - Interception issue discovered during testing. Reported to vendor.
10-Dec-2011 - Developers investigating interception report.
11-Dec-2011 - Direct object policy rule access / edit discovered and reported to vendor.
12-Dec-2011 - Vulnerabilities confirmed.
16-Dec-2011 - Direct object policy rule issue fixed in production.
23-Dec-2011 - Interception fix pushed to production environment.
27-Dec-2011 - Final intercepted email received (numbering several million).
28-Dec-2011 - Delivery Status Notification success/failures continue to be received.
11-Jan-2012 - Delivery Status Notification fix pushed to production. Last DSN received.
24-Aug-2017 - Public disclosure for historical purposes as an example of early cloud adoption issues facing the industry.
​
About OSI Security: 

OSI Security is an IT security consulting company based in Sydney, Australia. We provide managed internal and external penetration testing and ethical hacking services, web application testing, vulnerability assessments, wireless site audits, vendor product assessments, secure network design, forensics and risk mitigation services. 

We can be found at https://www.osisecurity.com.au/ 
NSW Government ICT Services (SCM0020) approved supplier
OSI Security is an approved supplier to the Victorian Government
OSI Security is an approved supplier to the Queensland Government
OSI Security is an approved supplier to the New Zealand Government
Picture
External Penetration Testing
Managed Security Services
​Source Code Review
Web Application Security Testing
Firewall Configuration and Rulesets
WiFi Access Point and Client Auditing
Forensics and Data Recovery
System Hardening and Configuration
Metasploit Pro
Tenable Nessus
Acunetix Web Scanner
Nexpose Vulnerability
Secunia Software Inspection
Elcomsoft Password Cracking
PortSwigger BurpSuite
HP Fortify
 
Contact
Clients
Advisories
Privacy policy
​
Ethics Statement
Disclosure Policy
OSI SECURITY ACN 144 579 751 © 2010 - 2025.
​ALL RIGHTS RESERVED. SYDNEY, AUSTRALIA.
Join newsletter

Picture

OSI Security is proud to support a number of recognised charities, development projects and industry groups...

The Australian Computer Museum Society Incorporated
Hackers Helping Hackers
sqlmap.org
Metasploit Framework
2600-AU Australia