-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SpamTitan Gateway Remote Code Execution #14330
Conversation
I was not able to get this to work on my setup. It looks like the final trigger might not be successful? Target:Verbose output
HTTPTrace output
|
Interesting, the HTTP part went well ( I just retested it against 7.01 and it worked for me. I noticed that, sometimes, it has to be run a few times to get a session. Also, can you try with another target (FreeBSD Dropper) please? Another debug test would be to boot the VM into Single-User mode and check if the payload had been correctly added to |
Other target settings:
|
It is definitely the SNMP connect_snmp(true, 'RPORT' => 161) I have absolutely no idea why it behaves like that for you and I was not able to reproduce it. This will need to be debugged and step into
def connect_udp(global = true, opts={})
nsock = Rex::Socket::Udp.create(
'PeerHost' => opts['RHOST'] || rhost,
'PeerPort' => (opts['RPORT'] || rport).to_i,
'LocalHost' => opts['CHOST'] || chost || "0.0.0.0",
'LocalPort' => (opts['CPORT'] || cport || 0).to_i,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
}) |
For what it is worth, it works fine for me if I change the hash in the connect_snmp call from
|
OK.... so I again have no idea what's going on...
According to the code at When I change and add It works?
I'm struggling because |
Waiiit.
So when we return that udp socket object, it has a hash to itself (likely with the correct port) but then back in
We create a new snmp instance with nothing from the hash that got attached to the UDP socket... and notice that I wonder if this is a bug in the udp/snmp creation? This looks like you could create a UDP socket, then create an SNMP socket based on it, and have the UDP port and SNMP ports not match? I'm still unclear on why our responses are different, though. |
You're absolutely right. It looks like you can provide different host/port information to both
I believe, in your case, the socket is somehow not connected when the code reaches sendto and a connection using the provided port ( All of this doesn't sounds right to me. We should be able to use the same custom port in both Thanks for looking into it. |
…r` instance in `connect_snmp`
25a6ad9
to
afea5cd
Compare
Here are the last changes I've made:
I also rebase everything and force-pushed to fix conflict with the recent updates in master. |
|
I'm cool with landing this, but as it changes a library and I'm going to be gone for more than a week, I'm going to put it on hold until I'm around to help douse any fires it may cause. |
Release NotesNew module |
TitanHQ SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. This module exploits an improper input sanitization in versions 7.01, 7.02, 7.03 and 7.07 to inject command directives into the SNMP configuration file and get remote code execution as root. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.
First, it sends an HTTP POST request to the
snmp-x.php
page with anSNMPD
command directives (extend
+ command) passed to thecommunity
parameter. This payload is then added tosnmpd.conf
by the application. Finally, the module triggers the execution of this command by querying the SNMP server for the correct OID.This exploit module has been successfully tested against versions 7.01, 7.02, 7.03, and 7.07.
Installation
A demo version of the vulnerable application can be downloaded here. Since the latest version of SpamTitan Gateway has this vulnerability fixed and no demo of the vulnerable versions are available for download, the previous major release demo has to be used and updates have to be installed manually.
Installation steps:
.ova
image: https://stdownload.titanhq.com/vmware/SpamTitan-6-amd64.ovaadmin
hiadmin
System Setup
>System Updates
and clickStart
in theCheck for Updates Now
section. It will download all available update patches.Available Updates
section, choose the version you want to test and click theinstall
button in front of it.Verification Steps
use exploit/freebsd/webapp/spamtitan_unauth_rce
set RHOSTS <ip>
set LHOST <ip>
run
Scenarios
SpamTitan Gateway v7.01 - target 0 (in-memory command)
SpamTitan Gateway v7.01 - target 1 (FreeBSD Dropper - x64)
SpamTitan Gateway v7.01 - target 2 (FreeBSD Dropper - x86)