Full Report
I recently tested an Internet facing Anti-Spam product called SpamTitan Gateway. As you could infer from the name of the product, this platform’s purpose was to detect Spam and or other malicious software sent via email. It has a lot of other features too as you could imagine from this type of product. In this post I will detail some vulnerabilities I discovered that ultimately lead to the ability to have unauthenticated remote code execution.
Analysis Summary
As a vulnerability research specialist, here is the summary of the discovered flaws in SpamTitan Gateway, structured for clarity and actionability.
# Vulnerability: Unauthenticated Remote Code Execution (RCE) in SpamTitan Gateway
## CVE Details
The article discusses multiple vulnerabilities, four of which are referenced in the Proof of Concept (PoC) video. The two primary "jail escape" vulnerabilities leading to root access are detailed below:
- **CVE ID:**
- **CVE-2020-24046**: Backup Import leading to root shell.
- **CVE-2020-24045**: VMware Tools installation method leading to root shell.
- **CVSS Score:** Scores are not explicitly provided in the text, but the impact (unauthenticated RCE/root access) implies a **Critical** severity.
- **CWE:** Multiple weaknesses, notably related code injection/execution via file manipulation and improper privilege handling.
## Affected Systems
- **Products:** SpamTitan Gateway (Self-hosted ISO/VMware image deployments).
- **Versions:** Prior to version 7.08 and 7.09 (based on the disclosure timeline).
- **Configurations:** Self-hosted deployments are explicitly targeted for the discussed exploits.
## Vulnerability Description
The research uncovered several vulnerabilities that allowed an attacker to escape the restricted administrative console and ultimately gain unauthenticated **root access** on the appliance.
1. **CVE-2020-24046 (Backup Modification):** The backup feature allows exporting configuration files as a `tar.bz2`. By modifying the exported configuration file, specifically the line defining the administrator's console path (`/usr/local/bin/stconsole`), an attacker could change it to `/bin/sh` and elevate the admin user's UID to 0 (root). Importing this modified backup granted root shell access upon the next login.
2. **CVE-2020-24045 (VMware Tools Abuse):** The internal console script (`/usr/local/bin/stconsole`) contained a hidden option ('5') designed to install VMware Tools. This function blindly executed `/tmp/vmware-tools/distrib/vmware-install.pl` as the `root` user after mounting an ISO. An attacker could craft a malicious ISO containing a Perl reverse shell named exactly as expected (`vmware-install.pl`) to gain a root shell upon activating the hidden option.
Other vulnerabilities mentioned (CVE 3 and 4) likely relate to lateral movement or further privilege escalation after gaining initial console access, potentially related to the `amavisd` user context.
## Exploitation
- **Status:** PoC available (on GitHub, referenced by the researcher).
- **Complexity:** **Low** (Especially CVE-2020-24046, which is an unauthenticated administrative file manipulation).
- **Attack Vector:** Network (via the web interface for CVE-2020-24046) and Local/Console (interacting with the restricted CLI for both).
## Impact
- **Confidentiality:** **High** (Full access to system files and mail data).
- **Integrity:** **High** (Ability to execute arbitrary commands as root, modifying configuration or installing persistent backdoors).
- **Availability:** **High** (System compromise leading to potential denial of service).
## Remediation
### Patches
- **Version 7.08:** Released May 26, 2020, addressed the first set of vulnerabilities, including likely the web-based attacks.
- **Version 7.09:** Targeted for release in September 2020, addressing the second jail-escaping weakness (CVE-2020-24046).
- **Hotfix:** Deployed immediately following disclosure for CVE-2020-24045 (preventing VMware Tools CD mounting).
**Action Required:** Upgrade to SpamTitan Gateway **Version 7.09** or later.
### Workarounds
- Immediately apply the vendor hotfix related to disabling unauthorized VMware Tools CD mounting.
- Ensure physical and network access restrictions are strictly enforced on the deployed appliance console, though the vulnerabilities allow unauthenticated RCE via configuration modification (7.08 path).
## Detection
- **Indicators of Compromise:**
- Unexpected modification or tampering of system configuration files, particularly related to the `admin.passwd` file contents.
- Unauthorized execution of scripts from the `/tmp/vmware-tools/` directory or unexpected mounting of CD/ISO drives on the VM.
- Outbound network traffic originating from the SpamTitan server that is not standard email/monitoring traffic (indicating a reverse shell).
- **Detection Methods and Tools:** File Integrity Monitoring (FIM) on critical configuration directories and monitoring system commands being executed by restricted users.
## References
- Vendor Advisory: Not explicitly detailed, but implied resolution in versions 7.08 and 7.09.
- Research Link: hxxps://sensepost.com/clash-of-the-spamtitan/ (The reporter's blog post detailing the findings).
- PoC Link: Mentioned as available on GitHub by the researcher.