CVE-2020-11698
published 2020-09-17CVE-2020-11698: An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.67%
99.4th percentile
An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| titanhq | spamtitan | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to snmp-x.php containing newline characters (%0a or \n) in the 'community' parameter, which is the injection vector for snmpd.conf directive smuggling. ↗
- →Detect POST requests to snmp-x.php with jaction=saveAll and a 'community' parameter containing the string 'extend' or 'exec', indicating SNMPD directive injection. ↗
- →Alert on SNMP GET queries for OID .1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108 (NET-SNMP-EXTEND-MIB 'revshell' entry), which is used to trigger the injected reverse shell payload. ↗
- →The exploit requires no authentication for SpamTitan versions 7.01, 7.02, and 7.07; flag unauthenticated POST requests to snmp-x.php from external IPs. ↗
- →The snmpd daemon runs as root; detect unexpected outbound TCP connections from the snmpd process (FreeBSD), which would indicate a successful reverse shell. ↗
- ·Version 7.03 requires authentication to reach snmp-x.php, unlike versions 7.01, 7.02, and 7.07 which are fully unauthenticated. Detection rules should account for both authenticated and unauthenticated POST requests to snmp-x.php. ↗
- ·The exploit targets FreeBSD-based SpamTitan appliances; SNMP-based detection and process monitoring rules should be scoped to FreeBSD environments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SpamTitan 7.07 - Unauthenticated Remote Code Execution
exploitdb·2020-10-05·CVSS 9.8
CVE-2020-11698 [CRITICAL] SpamTitan 7.07 - Unauthenticated Remote Code Execution
SpamTitan 7.07 - Unauthenticated Remote Code Execution
---
# Exploit Title: SpamTitan 7.07 - Unauthenticated Remote Code Execution
# Date: 2020-09-18
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/
# Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway
# Version: 7.07
# Tested on: FreeBSD
# CVE : CVE-2020-11698
---[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in
snmp-x.php]------------------------------
SECURITY ADVISORY: SPUK-2020-09/SpamTitan Unauthenticated Remote
Code Execution in snmp-x.php
Affected Software: SpamTitan Gateway 7.07 (possibly earlier versions)
Vulnerability: Unauthenticated Remote Code Execution
CVSSv3: 10.0
(https://www.first.org/cvss/calculator/3.0#CVSS:3.0
Metasploit
SpamTitan Unauthenticated RCE
metasploit
SpamTitan Unauthenticated RCE
SpamTitan Unauthenticated RCE
TitanHQ SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. This module exploits an improper input sanitization in versions 7.01, 7.02, 7.03 and 7.07 to inject command directives into the SNMP configuration file and get remote code execution as root. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07. First, it sends an HTTP POST request to the `snmp-x.php` page with an `SNMPD` command directives (`extend` + command) passed to the `community` parameter. This payload is then added to `snmpd.conf` by the application. Finally, the module triggers the execution of this command by querying the SNMP server for the correct OID. This exploit module has been su
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160809/SpamTitan-7.07-Command-Injection.htmlhttps://github.com/felmoltorhttps://sensepost.com/blog/2020/clash-of-the-spamtitan/https://twitter.com/felmoltorhttps://www.spamtitan.com/http://packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160809/SpamTitan-7.07-Command-Injection.htmlhttps://github.com/felmoltorhttps://sensepost.com/blog/2020/clash-of-the-spamtitan/https://twitter.com/felmoltorhttps://www.spamtitan.com/
2020-09-17
Published