module
SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
| Disclosed |
|---|
| Apr 17, 2019 |
Disclosed
Apr 17, 2019
Description
This module exploits a vulnerability in the SmarterTools SmarterMail
software for version numbers The vulnerable versions and builds expose three .NET remoting endpoints
on port 17001, namely /Servers, /Mail and /Spool. For example, a
typical installation of SmarterMail Build 6970 will have the /Servers
endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where
serialized .NET commands can be sent through a TCP socket connection.
The three endpoints perform deserialization of untrusted data
(CVE-2019-7214), allowing an attacker to send arbitrary commands
to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution
for any unauthenticated user under the context of the SYSTEM account.
Successful exploitation results in full administrative control of the
target server under the NT AUTHORITY\SYSTEM account.
This vulnerability was patched in Build 6985, where the 17001 port is
no longer publicly accessible, although it can be accessible locally
at 127.0.0.1:17001. Hence, this would still allow for a privilege
escalation vector if the server is compromised as a low-privileged user.
software for version numbers The vulnerable versions and builds expose three .NET remoting endpoints
on port 17001, namely /Servers, /Mail and /Spool. For example, a
typical installation of SmarterMail Build 6970 will have the /Servers
endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where
serialized .NET commands can be sent through a TCP socket connection.
The three endpoints perform deserialization of untrusted data
(CVE-2019-7214), allowing an attacker to send arbitrary commands
to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution
for any unauthenticated user under the context of the SYSTEM account.
Successful exploitation results in full administrative control of the
target server under the NT AUTHORITY\SYSTEM account.
This vulnerability was patched in Build 6985, where the 17001 port is
no longer publicly accessible, although it can be accessible locally
at 127.0.0.1:17001. Hence, this would still allow for a privilege
escalation vector if the server is compromised as a low-privileged user.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.