CVE-2020-11699
published 2020-09-17CVE-2020-11699: An issue was discovered in Titan SpamTitan 7.07. Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.64%
94.9th percentile
An issue was discovered in Titan SpamTitan 7.07. Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| titanhq | spamtitan | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /certs-x.php where the 'fname' parameter contains shell metacharacters such as '||', '$(...)', or pipe characters, indicating command injection attempts. ↗
- →Detect POST requests to /certs-x.php with 'jaction=deletecert' combined with shell injection patterns in the 'fname' parameter. ↗
- →Detect POST requests to /certs-x.php with 'jaction=downloadkey' and 'fname' values containing path traversal sequences (e.g., '../../../..') indicating arbitrary file read attempts (CVE-2020-11700). ↗
- →Alert on outbound wget or python execution from the SpamTitan web process, particularly writing to /tmp/r.py and executing it, which is the reverse shell staging pattern used in this exploit. ↗
- →Monitor for CSRF token extraction via GET to /certs.php followed immediately by a POST to /certs-x.php from the same session, which is the exploit's two-step attack pattern. ↗
- →Detect inbound reverse shell connections on non-standard ports (default 4242) originating from the SpamTitan server process after exploitation. ↗
- ·Exploitation requires prior authentication to the SpamTitan web interface; unauthenticated attackers cannot directly trigger this RCE. ↗
- ·The exploit targets SpamTitan Gateway 7.07 running on FreeBSD; the hardcoded binary paths (/usr/local/bin/wget, /usr/local/bin/python) are FreeBSD-specific and may differ on other platforms. ↗
- ·Earlier versions of SpamTitan Gateway prior to 7.07 may also be vulnerable, as the advisory notes the issue exists in 'probably previous versions'. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.htmlhttps://github.com/felmoltorhttps://sensepost.com/blog/2020/clash-of-the-spamtitan/https://twitter.com/felmoltorhttps://www.spamtitan.com/http://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.htmlhttps://github.com/felmoltorhttps://sensepost.com/blog/2020/clash-of-the-spamtitan/https://twitter.com/felmoltorhttps://www.spamtitan.com/
2020-09-17
Published