AttackerKBAKB:EADBBBBE-8A57-469F-A96F-22A14761BCF0CVE-2020-11698
0.908 High
EPSS
Percentile
98.9%
An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.
Recent assessments:
cdelafuente-r7 at November 03, 2020 6:26pm UTC reported:
SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. Versions 7.01, 7.02, 7.03 and 7.07 are vulnerable to Remote Code Execution as root due to improper input sanitization. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.
The attack consists in abusing the SpamTitan Gateway UI SNMP Management Settings feature to inject dangerous SNMPD command directives into the SNMP server configuration file. This is can be done in two steps:
-
Send an HTTP POST request to the
snmp-x.phppage with a specially craftedcommunityparameter:
...[SNIP]...&community=<community>" <ip>\nextend <random name> <payload>.
This will end up being added tosnmp.conflike this:
…[SNIP]...
rocommunity "<community>" <ip>
extend <random name> <payload>
…[SNIP]... -
Send an SNMP
Get-Requestto correct OID to trigger the payload.
Since a proof o concept and a Metasploit module are available, it is highly recommended to upgrade to the latest available version.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
References
packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.html
packetstormsecurity.com/files/160809/SpamTitan-7.07-Command-Injection.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698
github.com/felmoltor
sensepost.com/blog/2020/clash-of-the-spamtitan
sensepost.com/blog/2020/clash-of-the-spamtitan/
twitter.com/felmoltor
www.spamtitan.com
www.spamtitan.com/
Related
