exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

McAfee Email Gateway 7.6 Command Execution / SQL Injection

McAfee Email Gateway 7.6 Command Execution / SQL Injection
Posted Dec 5, 2013
Authored by Brandon Perry

McAfee Email Gateway version 7.6 suffers from remote command execution and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | 7172a81dff8369131711642e7e104a07c0f78271d32b91deced3c5b456750eb2

McAfee Email Gateway 7.6 Command Execution / SQL Injection

Change Mirror Download
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

McAfee Email Gateway 7.6 multiple vulnerabilities

http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.m=
cafee.com/us/products/email-gateway.aspx>
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.m=
cafee.com/us/products/email-gateway.aspx>
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafe=
e.com/us/products/email-gateway.aspx>
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www=
.mcafee.com/us/products/email-gateway.aspx>
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mc=
afee.com/us/products/email-gateway.aspx>
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.=
mcafee.com/us/products/email-gateway.aspx>
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free
trial



Many instances of SQL injection were found as an unprivileged read-only
authenticated user that allow the user to completely take over the accounts
of other users by using a stacked injection technique to run UPDATE
statements. Other techniques available are error-based, time-based, and
boolean-based injections.



Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.



However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.



---------------------------------------------------



As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:



POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1

Host: 172.31.16.87:10443

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0

Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8

Accept-Language: en-US,en;q=3D0.5

Accept-Encoding: gzip, deflate

Content-Type: text/plain; charset=3DUTF-8

Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html

Content-Length: 626

Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache



{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}



Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability.



------------------------------------------------------



Many remote command execution vulnerabilities exist for administrator
users. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.



Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.



The hostname within this request is also susceptible to command injection
via shell metacharacters.



You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.



You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.

--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>

<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>


<p class=3D"">=A0</p>

<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>

<p class=3D"">=A0</p>

<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>

<p class=3D"">=A0</p>

<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>

<p class=3D"">=A0</p>

<p class=3D"">---------------------------------------------------</p>

<p class=3D"">=A0</p>

<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>

<p class=3D"">=A0</p>

<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>

<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>

<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>

<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>

<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>

<p class=3D"">Accept-Encoding: gzip, deflate</p>

<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>

<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>

<p class=3D"">Content-Length: 626</p>

<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>

<p class=3D"">Connection: keep-alive</p>

<p class=3D"">Pragma: no-cache</p>

<p class=3D"">Cache-Control: no-cache</p>

<p class=3D"">=A0</p>

<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset&quot=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>


<p class=3D"">=A0</p>

<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>

<p class=3D"">=A0</p>

<p class=3D"">------------------------------------------------------</p>

<p class=3D"">=A0</p>

<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>

<p class=3D"">=A0</p>

<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. By =
using shell
metacharacters, you can execute arbitrary commands on the system as root.</=
p>

<p class=3D"">=A0</p>

<p class=3D"">The hostname within this request is also susceptible to
command injection via shell metacharacters.</p>

<p class=3D"">=A0</p>

<p class=3D"">You may also search for any XML element called Command. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>

<p class=3D"">=A0</p>

<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>

--047d7bd6c5d012977c04eca87ee7--

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close