Multiple vulnerabilities in SpamTitan
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2020-11698 CVE-2020-11699 CVE-2020-11700 CVE-2020-11803 CVE-2020-11804 CVE-2020-24045 CVE-2020-24046 |
| CWE-ID | CWE-78 CWE-22 CWE-94 CWE-269 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. |
| Vulnerable software Subscribe |
SpamTitan Server applications / IDS/IPS systems, Firewalls and proxy servers |
| Vendor | TitanHQ |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) OS Command Injection
EUVDB-ID: #VU49240
Risk: Critical
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11698
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation of the parameter community on the page snmp-x.php. A remote unauthenticated attacker can pass specially crafted data to the application and inject commands into the file snmpd.conf that would allow executing commands on the target server.
Note, exploitation of vulnerability for version 7.03 requires authentication. Other affected versions allow unauthenticated command execution.
Install updates from vendor's website.
Vulnerable software versionsSpamTitan: 7.01 - 7.07
External linkshttp://packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.html
http://github.com/felmoltor
http://sensepost.com/blog/2020/clash-of-the-spamtitan/
http://twitter.com/felmoltor
http://www.spamtitan.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) OS Command Injection
EUVDB-ID: #VU49241
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-11699
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation of the parameter fname on the page certs-x.php. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpamTitan: 7.07
External linkshttp://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.html
http://github.com/felmoltor
http://sensepost.com/blog/2020/clash-of-the-spamtitan/
http://twitter.com/felmoltor
http://www.spamtitan.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Path traversal
EUVDB-ID: #VU49242
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11700
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences passed via the "fname" parameter to certs-x.php. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSpamTitan: 7.07
External linkshttp://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.html
http://github.com/felmoltor
http://sensepost.com/blog/2020/clash-of-the-spamtitan/
http://twitter.com/felmoltor
http://www.spamtitan.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Code Injection
EUVDB-ID: #VU49243
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11803
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation of the jaction parameter in mailqueue.php. A remote user can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpamTitan: 7.07
External linkshttp://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.html
http://github.com/felmoltor
http://sensepost.com/blog/2020/clash-of-the-spamtitan/
http://twitter.com/felmoltor
http://www.spamtitan.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Code Injection
EUVDB-ID: #VU49244
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11804
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation of the quid parameter in mailqueue.php. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpamTitan: 7.07
External linkshttp://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.html
http://github.com/felmoltor
http://sensepost.com/blog/2020/clash-of-the-spamtitan/
http://twitter.com/felmoltor
http://www.spamtitan.com
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Privilege Management
EUVDB-ID: #VU49245
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-24045
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote administrator to escalate privileges on the system.
The vulnerability exists due to improper privilege management. A remote administrator can bypass sandbox restrictions by presenting a fake vmware-tools ISO image to the guest virtual machine running SpamTitan Gateway. The fake ISO image will be mounted and the script wmware-install.pl will be executed with super-user privileges as soon as the hidden option to install VMware Tools is selected in the main menu of the restricted shell (option number 5).
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpamTitan: 7.07
External linkshttp://github.com/felmoltor
http://sensepost.com/blog/2020/clash-of-the-spamtitan/
http://twitter.com/felmoltor
http://www.titanhq.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Privilege Management
EUVDB-ID: #VU49246
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-24046
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote administrator to escalate privileges.
The vulnerability exists due to improper privilege management. This restricted shell can be bypassed after changing the properties of the user admin in the operating system file /etc/passwd. This file cannot be accessed though the restricted shell, but it can be modified by abusing the Backup/Import Backup functionality of the web interface. An authenticated attacker would be able to obtain the file /var/tmp/admin.passwd after executing a Backup operation. This file can be manually modified to change the GUID of the user to 0 (root) and change the restricted shell to a normal shell /bin/sh. After the modification is done, the file can be recompressed to a .tar.bz file and imported again via the Import Backup functionality. The properties of the admin user will be overwritten and a root shell will be granted to the user upon the next successful login.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpamTitan: 7.07
External linkshttp://github.com/felmoltor
http://sensepost.com/blog/2020/clash-of-the-spamtitan/
http://twitter.com/felmoltor
http://www.titanhq.com
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
