This Metasploit module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers 16.x and below or for build numbers below 6985. The vulnerable versions and builds expose three .NET remoting endpoints on port 17001, namely /Servers, /Mail and /Spool. For example, a typical installation of SmarterMail Build 6970 will have the /Servers endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where serialized .NET commands can be sent through a TCP socket connection. The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user under the context of the SYSTEM account. Successful exploitation results in full administrative control of the target server under the NT AUTHORITY\SYSTEM account. This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible, although it can be accessible locally at 127.0.0.1:17001. Hence, this would still allow for a privilege escalation vector if the server is compromised as a low-privileged user.
c00513d64b0afbcf82cfd8c3569e9b9bd32c506402e79960d11808c409ea5c44SmarterMail build version 6985 suffers from a remote code execution vulnerability.
03a34ec5b65f814667108d5769e315ba381562b01bceb44b9f6931123cc94443
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed