--047d7bd6c5d012977c04eca87ee7 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable McAfee Email Gateway 7.6 multiple vulnerabilities http :// www . mcafee . com / us / products / email - gateway . aspx -- Has free trial Many instances of SQL injection were found as an unprivileged read-only authenticated user that allow the user to completely take over the accounts of other users by using a stacked injection technique to run UPDATE statements. Other techniques available are error-based, time-based, and boolean-based injections. Several remote command execution vulnerabilities were found as an administrator which are run as the local root user. By utilising the SQL injections as an unprivileged user, a user can escalate privileges by updating the password hash of an admin, and ultimately run commands on the server as root. However, no data seems to be able to be exfiltrated via the command injections. You may receive a connect back, but no commands can be run over the connect-back. My solution to this was to pipe the results of commands into a file in /tmp, then use the SQL injections to read the file from the FS and return the results. --------------------------------------------------- As a read-only user with reporting capabilities, many SQL injection vectors exist when creating new reports based on filters. You can get to this part of the web app by clicking the Reports menu item at the top-center. The following request contains four exploitable SQL injections each exploitable via a few different techniques: POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1 Host: 172.31.16.87:10443 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8 Accept-Language: en-US,en;q=3D0.5 Accept-Encoding: gzip, deflate Content-Type: text/plain; charset=3DUTF-8 Referer: https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm= l/index.html Content-Length: 626 Cookie: SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_= page_id%3Ddashboard; SHOW_BANNER_NOTICE=3DBannerShown%3D1; ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache {"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"= :{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e= vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"= ,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem= s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems= ":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em= ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat= egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp= e":"system","autoconv":1} Within the above request, the events_col, event_id, reason, events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL injection. You can capture the request with burpsuite and alter each value by adding an apostrophe to view the SQL error in the response. You can also use SQLmap to try various techniques for exploitability. ------------------------------------------------------ Many remote command execution vulnerabilities exist for administrator users. Every vector I found was being run as the root user and they all exists within a single request. As an administrator, go to the System tab in the top menu. You will be presented with general server settings. Remove the last letter of the hostname, and replace it back. You will now have a green checkmark in the top right of the web application. Click this, then click OK on the dialog that pops up in the web app. The next captured request will be the request susceptible to command execution. It is a very large request with XML contained in JSON. Because this makes sense. Within this XML, you may search for any XML element whose =93name=94 attrib= ute contains TestFile. Any of these elements are susceptible to command injection within the =93value=94 attribute. These filenames seems to be pas= sed to a utility like =91test=92 to ensure whether or not it exists. By using s= hell metacharacters, you can execute arbitrary commands on the system as root. The hostname within this request is also susceptible to command injection via shell metacharacters. You may also search for any XML element called Command. Each of these elements contains a small command to be run on a given event. You may alter any of these to be run as root. You may also search for an XML element called Script. This is used to manage the cron jobs (make sure the corresponding Enabled element is set to =931=94 instead of =930=94). You may alter or create any cron jobs that wil= l be run as root. --=20 http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website --047d7bd6c5d012977c04eca87ee7 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable

McAfee Email Gateway 7.6 multiple vulnerabil= ities

http://w= ww.mcafee.com/us/products/email-gateway.aspx -- Has free trial

=A0

Many instances of SQL injection were found as an unprivileged read-only authenticated user that allow the user to completely take over th= e accounts of other users by using a stacked injection technique to run UPDATE statements= . Other techniques available are error-based, time-based, and boolean-based injections.

=A0

Several remote command execution vulnerabilities were found as an administrator which are run as the local root user. By utilising the = SQL injections as an unprivileged user, a user can escalate privileges by updat= ing the password hash of an admin, and ultimately run commands on the server as root.

=A0

However, no data seems to be able to be exfiltrated via the command injections. You may receive a connect back, but no commands can be = run over the connect-back. My solution to this was to pipe the results of comma= nds into a file in /tmp, then use the SQL injections to read the file from the = FS and return the results.

=A0

---------------------------------------------------

=A0

As a read-only user with reporting capabilities, many SQL injection vectors exist when creating new reports based on filters. You can= get to this part of the web app by clicking the Reports menu item at the top-ce= nter. The following request contains four exploitable SQL injections each exploit= able via a few different techniques:

=A0

POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1

Host: 172.31.16.87:1044= 3

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0

Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8

Accept-Language: en-US,en;q=3D0.5

Accept-Encoding: gzip, deflate

Content-Type: text/plain; charset=3DUTF-8

Referer: https://172.31.16.87:10443/= admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html

Content-Length: 626

Cookie: SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_= page_id%3Ddashboard; SHOW_BANNER_NOTICE=3DBannerShown%3D1; ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

=A0

{"id":"loadreport","locale":&qu= ot;en_US","commands":[{"name":"getDDSData&quo= t;,"args":{"what":["events"],"filters&qu= ot;:{"filter_period":"week","start_date":&quo= t;Now","event_type":"ui_events","event_id&quo= t;:"all","reason":"all"},"date_range&quo= t;:"week","events_col":"edate","events_o= rder":"DESC","events_offset":0,"events_nitems= ":50,"tz":480,"start_date":1385491876.405,"is= _mail":false,"itemized_nitems":10,"itemized_offset"= ;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo= t;emailstatus_col":"edate","emailstatus_order":&qu= ot;DESC","dig_filters":[],"dig_category":"&qu= ot;,"dig_summarize":true,"init":true,"type":&= quot;ui_events"}}],"filterType":"system","aut= oconv":1}

=A0

Within the above request, the events_col, event_id, reason, events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab= le to SQL injection. You can capture the request with burpsuite and alter each value by adding an apostrophe to view the SQL error in the response. You ca= n also use SQLmap to try various techniques for exploitability.

=A0

------------------------------------------------------

=A0

Many remote command execution vulnerabilities exist for administrator users. Every vector I found was being run as the root user an= d they all exists within a single request. As an administrator, go to the Sys= tem tab in the top menu. You will be presented with general server settings. Re= move the last letter of the hostname, and replace it back. You will now have a g= reen checkmark in the top right of the web application. Click this, then click O= K on the dialog that pops up in the web app. The next captured request will be t= he request susceptible to command execution. It is a very large request with X= ML contained in JSON. Because this makes sense.

=A0

Within this XML, you may search for any XML element whose =93name=94 attribute contains TestFile. Any of these elements are susceptib= le to command injection within the =93value=94 attribute. These filenames seems t= o be passed to a utility like =91test=92 to ensure whether or not it exists. By = using shell metacharacters, you can execute arbitrary commands on the system as root.

=A0

The hostname within this request is also susceptible to command injection via shell metacharacters.

=A0

You may also search for any XML element called Command. Each of these elements contains a small command to be run on a given event. You = may alter any of these to be run as root.

=A0

You may also search for an XML element called Script. This is used to manage the cron jobs (make sure the corresponding Enabled element i= s set to =931=94 instead of =930=94). You may alter or create any cron jobs t= hat will be run as root.


--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7--