An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.
Recent assessments:
cdelafuente-r7 at November 03, 2020 6:26pm UTC reported:
SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. Versions 7.01, 7.02, 7.03 and 7.07 are vulnerable to Remote Code Execution as root
due to improper input sanitization. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.
The attack consists in abusing the SpamTitan Gateway UI SNMP Management Settings
feature to inject dangerous SNMPD
command directives into the SNMP server configuration file. This is can be done in two steps:
Send an HTTP POST request to the snmp-x.php
page with a specially crafted community
parameter:
...[SNIP]...&community=<community>" <ip>\nextend <random name> <payload>
.
This will end up being added to snmp.conf
like this:
…[SNIP]...
rocommunity "<community>" <ip>
extend <random name> <payload>
…[SNIP]...
Send an SNMP Get-Request
to correct OID to trigger the payload.
Since a proof o concept and a Metasploit module are available, it is highly recommended to upgrade to the latest available version.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.html
packetstormsecurity.com/files/160809/SpamTitan-7.07-Command-Injection.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698
github.com/felmoltor
sensepost.com/blog/2020/clash-of-the-spamtitan
sensepost.com/blog/2020/clash-of-the-spamtitan/
twitter.com/felmoltor
www.spamtitan.com
www.spamtitan.com/