CVE-2018-12464
published 2018-06-29CVE-2018-12464: A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote…
PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.54%
99.6th percentile
A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| micro_focus | secure_messaging_gateway | >= unspecified < 471 | 471 |
| microfocus | secure_messaging_gateway | < 471 | 471 |
Detection & IOCsextracted from sources · hover to see the quote
commandINSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)↗
- →Monitor POST requests to /api/1/enginelist.php with the 'appkey' parameter containing stacked SQL query payloads (e.g., SELECT <random_numeric>, INSERT INTO account, INSERT INTO UserRole) — this is the SQLi entry point for CVE-2018-12464. ↗
- →Alert on POST requests to /admin/contents/ou/manage_domains_save_data.json.php where the SaveData body contains a Domain field with shell command substitution syntax such as $(...) or backtick expressions — this is the payload implantation step. ↗
- →Alert on POST requests to /admin/contents/ou/manage_domains_dkim_keygen_request.php with a DkimRecordId parameter — this endpoint triggers OS command execution and is the final exploitation step. ↗
- →Detect authentication attempts to /security/securitygate.php immediately following anomalous account creation via SQL injection into the 'account' and 'UserRole' tables — this sequence indicates chained SQLi-to-RCE exploitation. ↗
- →Look for new rows inserted into the PostgreSQL 'account' table with privilege level 1 and role entries in 'UserRole' not associated with normal provisioning workflows — artifact of the SQLi user-creation step. ↗
- →The exploit uses a php/meterpreter/reverse_tcp payload encoded with php/base64 by default; look for base64-encoded PHP payloads in the Domain field of DKIM-related API calls. ↗
- ·The vulnerability only affects Micro Focus SMG versions prior to 471; earlier GWAVA-branded versions (e.g., GWAVA 6.5) are not affected. ↗
- ·CVE-2018-12464 (SQLi) must be chained with CVE-2018-12465 (OS command injection) to achieve unauthenticated RCE; neither vulnerability alone provides full unauthenticated code execution. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ch8c-p3pw-fg7f: An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authe
ghsa_unreviewed·2022-05-13·CVSS 10.0
CVE-2018-12465 [CRITICAL] CWE-78 GHSA-ch8c-p3pw-fg7f: An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authe
An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).
GHSA
GHSA-qx98-cwxc-vrv6: A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated re
ghsa_unreviewed·2022-05-13·CVSS 9.1
CVE-2018-12464 [CRITICAL] CWE-89 GHSA-qx98-cwxc-vrv6: A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated re
A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).
Suricata
ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway SQL Injection
suricata·2018-08-24
ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway SQL Injection
ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway SQL Injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway SQL Injection"; flow:established,to_server; http.uri; content:"/enginelist.php"; fast_pattern; http.request_body; content:"appkey="; pcre:"/^[a-z0-9A-Z]+\x252[270]/R"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb; classtype:attempted-user; sid:2026036; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_08_24, cve cve_2018_12464, deployment Datacenter, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_
Exploit-DB
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)
exploitdb·2018-07-24
CVE-2018-12465 Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)
Micro Focus Secure Messaging Gateway (SMG) "MicroFocus Secure Messaging Gateway Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway.
An unauthenticated user can execute a terminal command under the context of the web user.
One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system.
manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
to access this endpoint without having a valid session.
Combining these vulnerabilit
Metasploit
MicroFocus Secure Messaging Gateway Remote Code Execution
metasploit
MicroFocus Secure Messaging Gateway Remote Code Execution
MicroFocus Secure Messaging Gateway Remote Code Execution
This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. Combining these vulnerabilities gives the opportunity execute operation system commands under th
No writeups or analysis indexed.
https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/https://support.microfocus.com/kb/doc.php?id=7023132https://www.exploit-db.com/exploits/45083/https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/https://support.microfocus.com/kb/doc.php?id=7023132https://www.exploit-db.com/exploits/45083/
2018-06-29
Published