Recently I saw a post on LinkedIn about Spamtitan Gateway (anti spam solution). I decided to download free trial(version 7.08) and check its functionality. While playing with the tool I stepped in my pentesting shoes and discovered interesting situation with backup options.
Backup your gateway?
Spamtitan gateway offers backup function in which you can download backup file with current device settings. This file turned out to be bzip archive having interesting files inside. What is more important those files were not encrypted, so we have chance to change them and upload our backup file to Spamtitan in order to restore our options. Browsing through the archive I found crontab file in /etc/ directory so I came up with an idea that it might be possible to inject some command in crontab file.
Here’s the magic – Reverse shell
As stated previously I changed /etc/crontab file and added reverse shell command in it. I used php reverse shell, since solution is php based. Afterwards I uploaded new backup file and after a while I obtained reverse shell connection with root privileges.
Backup file structure
Crontab reverse shell entry
Successful backup upload
Reverse shell with root privileges
- 01/07/2020: SpamTitan contacted about vulnerability
- 02/07/2020: SpamTitan answers. Report is under investigation
- 16/09/2020: New software 7.09 released
- 29/12/2020 – Public Disclosure