Lucene search
K

McAfee Email Gateway 7.6 Command Execution / SQL Injection

🗓️ 05 Dec 2013 00:00:00Reported by Brandon PerryType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 38 Views

McAfee Email Gateway 7.6 multiple vulnerabilities including command execution and SQL injection. SQL injection vectors present in reporting capabilities. Remote command execution vulnerabilities allow for privilege escalation. No data exfiltration via command injections

Code
`--047d7bd6c5d012977c04eca87ee7  
Content-Type: text/plain; charset=windows-1252  
Content-Transfer-Encoding: quoted-printable  
  
McAfee Email Gateway 7.6 multiple vulnerabilities  
  
http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.m=  
cafee.com/us/products/email-gateway.aspx>  
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcaf=  
ee.com/us/products/email-gateway.aspx>  
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.m=  
cafee.com/us/products/email-gateway.aspx>  
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcaf=  
ee.com/us/products/email-gateway.aspx>  
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafe=  
e.com/us/products/email-gateway.aspx>  
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www=  
.mcafee.com/us/products/email-gateway.aspx>  
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mc=  
afee.com/us/products/email-gateway.aspx>  
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.=  
mcafee.com/us/products/email-gateway.aspx>  
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free  
trial  
  
  
  
Many instances of SQL injection were found as an unprivileged read-only  
authenticated user that allow the user to completely take over the accounts  
of other users by using a stacked injection technique to run UPDATE  
statements. Other techniques available are error-based, time-based, and  
boolean-based injections.  
  
  
  
Several remote command execution vulnerabilities were found as an  
administrator which are run as the local root user. By utilising the SQL  
injections as an unprivileged user, a user can escalate privileges by  
updating the password hash of an admin, and ultimately run commands on the  
server as root.  
  
  
  
However, no data seems to be able to be exfiltrated via the command  
injections. You may receive a connect back, but no commands can be run over  
the connect-back. My solution to this was to pipe the results of commands  
into a file in /tmp, then use the SQL injections to read the file from the  
FS and return the results.  
  
  
  
---------------------------------------------------  
  
  
  
As a read-only user with reporting capabilities, many SQL injection vectors  
exist when creating new reports based on filters. You can get to this part  
of the web app by clicking the Reports menu item at the top-center. The  
following request contains four exploitable SQL injections each exploitable  
via a few different techniques:  
  
  
  
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1  
  
Host: 172.31.16.87:10443  
  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101  
Firefox/25.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8  
  
Accept-Language: en-US,en;q=3D0.5  
  
Accept-Encoding: gzip, deflate  
  
Content-Type: text/plain; charset=3DUTF-8  
  
Referer:  
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=  
l/index.html  
  
Content-Length: 626  
  
Cookie:  
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=  
page_id%3Ddashboard;  
SHOW_BANNER_NOTICE=3DBannerShown%3D1;  
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86  
  
Connection: keep-alive  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
  
  
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=  
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=  
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=  
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=  
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=  
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=  
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=  
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=  
e":"system","autoconv":1}  
  
  
  
Within the above request, the events_col, event_id, reason, events_order,  
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL  
injection. You can capture the request with burpsuite and alter each value  
by adding an apostrophe to view the SQL error in the response. You can also  
use SQLmap to try various techniques for exploitability.  
  
  
  
------------------------------------------------------  
  
  
  
Many remote command execution vulnerabilities exist for administrator  
users. Every vector I found was being run as the root user and they all  
exists within a single request. As an administrator, go to the System tab  
in the top menu. You will be presented with general server settings. Remove  
the last letter of the hostname, and replace it back. You will now have a  
green checkmark in the top right of the web application. Click this, then  
click OK on the dialog that pops up in the web app. The next captured  
request will be the request susceptible to command execution. It is a very  
large request with XML contained in JSON. Because this makes sense.  
  
  
  
Within this XML, you may search for any XML element whose =93name=94 attrib=  
ute  
contains TestFile. Any of these elements are susceptible to command  
injection within the =93value=94 attribute. These filenames seems to be pas=  
sed  
to a utility like =91test=92 to ensure whether or not it exists. By using s=  
hell  
metacharacters, you can execute arbitrary commands on the system as root.  
  
  
  
The hostname within this request is also susceptible to command injection  
via shell metacharacters.  
  
  
  
You may also search for any XML element called Command. Each of these  
elements contains a small command to be run on a given event. You may alter  
any of these to be run as root.  
  
  
  
You may also search for an XML element called Script. This is used to  
manage the cron jobs (make sure the corresponding Enabled element is set to  
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=  
l be run  
as root.  
  
--=20  
http://volatile-minds.blogspot.com -- blog  
http://www.volatileminds.net -- website  
  
--047d7bd6c5d012977c04eca87ee7  
Content-Type: text/html; charset=windows-1252  
Content-Transfer-Encoding: quoted-printable  
  
<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=  
ities</p>  
  
<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=  
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=  
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=  
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=  
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=  
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=  
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=  
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=  
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=  
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=  
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=  
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=  
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=  
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=  
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=  
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=  
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>  
  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">Many instances of SQL injection were found as an unprivileged  
read-only authenticated user that allow the user to completely take over th=  
e accounts of  
other users by using a stacked injection technique to run UPDATE statements=  
.  
Other techniques available are error-based, time-based, and boolean-based  
injections.</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">Several remote command execution vulnerabilities were found  
as an administrator which are run as the local root user. By utilising the =  
SQL  
injections as an unprivileged user, a user can escalate privileges by updat=  
ing  
the password hash of an admin, and ultimately run commands on the server as  
root.</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">However, no data seems to be able to be exfiltrated via the  
command injections. You may receive a connect back, but no commands can be =  
run  
over the connect-back. My solution to this was to pipe the results of comma=  
nds  
into a file in /tmp, then use the SQL injections to read the file from the =  
FS  
and return the results.</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">---------------------------------------------------</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">As a read-only user with reporting capabilities, many SQL  
injection vectors exist when creating new reports based on filters. You can=  
get  
to this part of the web app by clicking the Reports menu item at the top-ce=  
nter.  
The following request contains four exploitable SQL injections each exploit=  
able  
via a few different techniques:</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>  
  
<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=  
3</a></p>  
  
<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)  
Gecko/20100101 Firefox/25.0</p>  
  
<p class=3D"">Accept:  
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>  
  
<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>  
  
<p class=3D"">Accept-Encoding: gzip, deflate</p>  
  
<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>  
  
<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=  
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=  
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>  
  
<p class=3D"">Content-Length: 626</p>  
  
<p class=3D"">Cookie:  
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=  
page_id%3Ddashboard;  
SHOW_BANNER_NOTICE=3DBannerShown%3D1;  
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>  
  
<p class=3D"">Connection: keep-alive</p>  
  
<p class=3D"">Pragma: no-cache</p>  
  
<p class=3D"">Cache-Control: no-cache</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">{"id":"loadreport","locale":&qu=  
ot;en_US","commands":[{"name":"getDDSData&quo=  
t;,"args":{"what":["events"],"filters&qu=  
ot;:{"filter_period":"week","start_date":&quo=  
t;Now","event_type":"ui_events","event_id&quo=  
t;:"all","reason":"all"},"date_range&quo=  
t;:"week","events_col":"edate","events_o=  
rder":"DESC","events_offset":0,"events_nitems=  
":50,"tz":480,"start_date":1385491876.405,"is=  
_mail":false,"itemized_nitems":10,"itemized_offset&quot=  
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=  
t;emailstatus_col":"edate","emailstatus_order":&qu=  
ot;DESC","dig_filters":[],"dig_category":"&qu=  
ot;,"dig_summarize":true,"init":true,"type":&=  
quot;ui_events"}}],"filterType":"system","aut=  
oconv":1}</p>  
  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">Within the above request, the events_col, event_id, reason,  
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=  
le  
to SQL injection. You can capture the request with burpsuite and alter each  
value by adding an apostrophe to view the SQL error in the response. You ca=  
n  
also use SQLmap to try various techniques for exploitability.</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">------------------------------------------------------</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">Many remote command execution vulnerabilities exist for  
administrator users. Every vector I found was being run as the root user an=  
d  
they all exists within a single request. As an administrator, go to the Sys=  
tem  
tab in the top menu. You will be presented with general server settings. Re=  
move  
the last letter of the hostname, and replace it back. You will now have a g=  
reen  
checkmark in the top right of the web application. Click this, then click O=  
K on  
the dialog that pops up in the web app. The next captured request will be t=  
he  
request susceptible to command execution. It is a very large request with X=  
ML  
contained in JSON. Because this makes sense.</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">Within this XML, you may search for any XML element whose  
=93name=94 attribute contains TestFile. Any of these elements are susceptib=  
le to  
command injection within the =93value=94 attribute. These filenames seems t=  
o be  
passed to a utility like =91test=92 to ensure whether or not it exists. By =  
using shell  
metacharacters, you can execute arbitrary commands on the system as root.</=  
p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">The hostname within this request is also susceptible to  
command injection via shell metacharacters.</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">You may also search for any XML element called Command. Each  
of these elements contains a small command to be run on a given event. You =  
may  
alter any of these to be run as root.</p>  
  
<p class=3D"">=A0</p>  
  
<p class=3D"">You may also search for an XML element called Script. This is  
used to manage the cron jobs (make sure the corresponding Enabled element i=  
s  
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=  
hat will be  
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=  
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=  
://www.volatileminds.net">http://www.volatileminds.net</a> -- website  
</div>  
  
--047d7bd6c5d012977c04eca87ee7--  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation