the original cloud security

McAfee Email Gateway 7.6 Command Execution / SQL Injection

McAfee Email Gateway 7.6 Command Execution / SQL Injection
Posted Dec 5, 2013
Authored by Brandon Perry

McAfee Email Gateway version 7.6 suffers from remote command execution and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
MD5 | 49b1eb2b0e0edf755e5c587b1095a5c1

McAfee Email Gateway 7.6 Command Execution / SQL Injection

Change Mirror Download
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

McAfee Email Gateway 7.6 multiple vulnerabilities

http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.m=
cafee.com/us/products/email-gateway.aspx>
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.m=
cafee.com/us/products/email-gateway.aspx>
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafe=
e.com/us/products/email-gateway.aspx>
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www=
.mcafee.com/us/products/email-gateway.aspx>
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mc=
afee.com/us/products/email-gateway.aspx>
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.=
mcafee.com/us/products/email-gateway.aspx>
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free
trial



Many instances of SQL injection were found as an unprivileged read-only
authenticated user that allow the user to completely take over the accounts
of other users by using a stacked injection technique to run UPDATE
statements. Other techniques available are error-based, time-based, and
boolean-based injections.



Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.



However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.



---------------------------------------------------



As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:



POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1

Host: 172.31.16.87:10443

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0

Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8

Accept-Language: en-US,en;q=3D0.5

Accept-Encoding: gzip, deflate

Content-Type: text/plain; charset=3DUTF-8

Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html

Content-Length: 626

Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache



{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}



Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability.



------------------------------------------------------



Many remote command execution vulnerabilities exist for administrator
users. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.



Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.



The hostname within this request is also susceptible to command injection
via shell metacharacters.



You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.



You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.

--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>

<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>


<p class=3D"">=A0</p>

<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>

<p class=3D"">=A0</p>

<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>

<p class=3D"">=A0</p>

<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>

<p class=3D"">=A0</p>

<p class=3D"">---------------------------------------------------</p>

<p class=3D"">=A0</p>

<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>

<p class=3D"">=A0</p>

<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>

<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>

<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>

<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>

<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>

<p class=3D"">Accept-Encoding: gzip, deflate</p>

<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>

<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>

<p class=3D"">Content-Length: 626</p>

<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>

<p class=3D"">Connection: keep-alive</p>

<p class=3D"">Pragma: no-cache</p>

<p class=3D"">Cache-Control: no-cache</p>

<p class=3D"">=A0</p>

<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset&quot=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>


<p class=3D"">=A0</p>

<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>

<p class=3D"">=A0</p>

<p class=3D"">------------------------------------------------------</p>

<p class=3D"">=A0</p>

<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>

<p class=3D"">=A0</p>

<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. By =
using shell
metacharacters, you can execute arbitrary commands on the system as root.</=
p>

<p class=3D"">=A0</p>

<p class=3D"">The hostname within this request is also susceptible to
command injection via shell metacharacters.</p>

<p class=3D"">=A0</p>

<p class=3D"">You may also search for any XML element called Command. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>

<p class=3D"">=A0</p>

<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>

--047d7bd6c5d012977c04eca87ee7--

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close