SB2020091732 - Multiple vulnerabilities in SpamTitan
Published: September 17, 2020 Updated: January 4, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2020-11698)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation of the parameter community on the page snmp-x.php. A remote unauthenticated attacker can pass specially crafted data to the application and inject commands into the file snmpd.conf that would allow executing commands on the target server.
Note, exploitation of vulnerability for version 7.03 requires authentication. Other affected versions allow unauthenticated command execution.
2) OS Command Injection (CVE-ID: CVE-2020-11699)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation of the parameter fname on the page certs-x.php. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Path traversal (CVE-ID: CVE-2020-11700)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences passed via the "fname" parameter to certs-x.php. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
4) Code Injection (CVE-ID: CVE-2020-11803)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation of the jaction parameter in mailqueue.php. A remote user can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Code Injection (CVE-ID: CVE-2020-11804)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation of the quid parameter in mailqueue.php. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Improper Privilege Management (CVE-ID: CVE-2020-24045)
The vulnerability allows a remote administrator to escalate privileges on the system.
The vulnerability exists due to improper privilege management. A remote administrator can bypass sandbox restrictions by presenting a fake vmware-tools ISO image to the guest virtual machine running SpamTitan Gateway. The fake ISO image will be mounted and the script wmware-install.pl will be executed with super-user privileges as soon as the hidden option to install VMware Tools is selected in the main menu of the restricted shell (option number 5).
7) Improper Privilege Management (CVE-ID: CVE-2020-24046)
The vulnerability allows a remote administrator to escalate privileges.
The vulnerability exists due to improper privilege management. This restricted shell can be bypassed after changing the properties of the user admin in the operating system file /etc/passwd. This file cannot be accessed though the restricted shell, but it can be modified by abusing the Backup/Import Backup functionality of the web interface. An authenticated attacker would be able to obtain the file /var/tmp/admin.passwd after executing a Backup operation. This file can be manually modified to change the GUID of the user to 0 (root) and change the restricted shell to a normal shell /bin/sh. After the modification is done, the file can be recompressed to a .tar.bz file and imported again via the Import Backup functionality. The properties of the admin user will be overwritten and a root shell will be granted to the user upon the next successful login.
Remediation
Install update from vendor's website.
References
- http://packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.html
- https://github.com/felmoltor
- https://sensepost.com/blog/2020/clash-of-the-spamtitan/
- https://twitter.com/felmoltor
- https://www.spamtitan.com/
- http://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.html
- https://www.spamtitan.com
- https://www.titanhq.com/
- https://www.titanhq.com