CVE-2020-35658 – Spamtitan backup Issue

Recently I saw a post on LinkedIn about Spamtitan Gateway (anti spam solution). I decided to download free trial(version 7.08) and check its functionality. While playing with the tool I stepped in my pentesting shoes and discovered interesting situation with backup options.

Backup your gateway?

Spamtitan gateway offers backup function in which you can download backup file with current device settings. This file turned out to be bzip archive having interesting files inside. What is more important those files were not encrypted, so we have chance to change them and upload our backup file to Spamtitan in order to restore our options. Browsing through the archive I found crontab file in /etc/ directory so I came up with an idea that it might be possible to inject some command in crontab file.

Here’s the magic – Reverse shell

As stated previously I changed /etc/crontab file and added reverse shell command in it. I used php reverse shell, since solution is php based. Afterwards I uploaded new backup file and after a while I obtained reverse shell connection with root privileges.

Backup file structure

Crontab reverse shell entry

Successful backup upload

Reverse shell with root privileges

Disclosure Timeline

  • 01/07/2020: SpamTitan contacted about vulnerability
  • 02/07/2020: SpamTitan answers. Report is under investigation
  • 16/09/2020: New software 7.09 released
  • 29/12/2020 – Public Disclosure

Reference:

One Reply to “CVE-2020-35658 – Spamtitan backup Issue”

Comments are closed.