CVE-2018-12465
published 2018-06-29CVE-2018-12465: An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated…
PriorityP271high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
78.95%
99.5th percentile
An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| micro_focus | secure_messaging_gateway | >= unspecified < 471 | 471 |
| microfocus | secure_messaging_gateway | < 471 | 471 |
Detection & IOCsextracted from sources · hover to see the quote
commandINSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)↗
- →Monitor HTTP POST requests to /api/1/enginelist.php with the 'appkey' parameter containing stacked SQL query payloads (e.g., semicolons, INSERT/SELECT statements). ↗
- →Alert on POST requests to manage_domains_dkim_keygen_request.php, especially from newly created or low-privilege accounts, as this endpoint triggers OS command execution via the DKIM domain field. ↗
- →Detect DKIM Domain field values containing shell command substitution syntax such as $(...) or backtick expressions submitted to manage_domains_save_data.json.php. ↗
- →Detect POST requests to /security/securitygate.php with the 'passwordmandatory' parameter present, which is a non-standard field used by the exploit's login step. ↗
- →Look for SQL INSERT statements targeting the 'account' and 'UserRole' tables in SMG's PostgreSQL database (SecureGateway), which may indicate exploitation of CVE-2018-12464 to create a rogue admin user. ↗
- →The default Metasploit payload for this exploit is php/meterpreter/reverse_tcp encoded with php/base64; detect outbound reverse TCP connections from the SMG web process after requests to the DKIM endpoints. ↗
- ·The exploit chain requires both CVE-2018-12464 (SQLi) and CVE-2018-12465 (OS command injection) to achieve unauthenticated RCE; CVE-2018-12465 alone requires an authenticated privileged session. ↗
- ·Only Micro Focus SMG versions prior to 471 are affected; the older GWAVA-branded product (e.g., GWAVA 6.5) is not affected. ↗
- ·The OS command injection is triggered via the DKIM Domain field; the malicious domain record must first be implanted via manage_domains_save_data.json.php before triggering via manage_domains_dkim_keygen_request.php. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ch8c-p3pw-fg7f: An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authe
ghsa_unreviewed·2022-05-13·CVSS 10.0
CVE-2018-12465 [CRITICAL] CWE-78 GHSA-ch8c-p3pw-fg7f: An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authe
An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).
GHSA
GHSA-qx98-cwxc-vrv6: A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated re
ghsa_unreviewed·2022-05-13·CVSS 9.1
CVE-2018-12464 [CRITICAL] CWE-89 GHSA-qx98-cwxc-vrv6: A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated re
A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).
Suricata
ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway Remote Code Execution
suricata·2018-08-24
ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway Remote Code Execution
ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway Remote Code Execution
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway Remote Code Execution"; flow:established,to_server; http.uri; content:"/manage_domains_save_data.json.php?cache="; http.request_body; content:"%24%28"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb; classtype:attempted-user; sid:2026037; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_08_24, cve cve_2018_12465, deployment Datacenter, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_techniqu
Exploit-DB
Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)
exploitdb·2018-07-24
CVE-2018-12465 Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)
Micro Focus Secure Messaging Gateway (SMG) "MicroFocus Secure Messaging Gateway Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway.
An unauthenticated user can execute a terminal command under the context of the web user.
One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system.
manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
to access this endpoint without having a valid session.
Combining these vulnerabilit
Metasploit
MicroFocus Secure Messaging Gateway Remote Code Execution
metasploit
MicroFocus Secure Messaging Gateway Remote Code Execution
MicroFocus Secure Messaging Gateway Remote Code Execution
This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. Combining these vulnerabilities gives the opportunity execute operation system commands under th
No writeups or analysis indexed.
https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/https://support.microfocus.com/kb/doc.php?id=7023133https://www.exploit-db.com/exploits/45083/https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/https://support.microfocus.com/kb/doc.php?id=7023133https://www.exploit-db.com/exploits/45083/
2018-06-29
Published