| ID |
CVE-2020-24046
|
| Sažetak |
A sandbox escape issue was discovered in TitanHQ SpamTitan Gateway 7.07. It limits the admin user to a restricted shell, allowing execution of a small number of tools of the operating system. This restricted shell can be bypassed after changing the properties of the user admin in the operating system file /etc/passwd. This file cannot be accessed though the restricted shell, but it can be modified by abusing the Backup/Import Backup functionality of the web interface. An authenticated attacker would be able to obtain the file /var/tmp/admin.passwd after executing a Backup operation. This file can be manually modified to change the GUID of the user to 0 (root) and change the restricted shell to a normal shell /bin/sh. After the modification is done, the file can be recompressed to a .tar.bz file and imported again via the Import Backup functionality. The properties of the admin user will be overwritten and a root shell will be granted to the user upon the next successful login. |
| Reference |
|
| CVSS |
| Base: | 9.0 |
| Impact: | 10.0 |
| Exploitability: | 8.0 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| NETWORK |
LOW |
SINGLE |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| COMPLETE |
COMPLETE |
COMPLETE |
|
| CVSS vektor |
AV:N/AC:L/Au:S/C:C/I:C/A:C |
| Zadnje važnije ažuriranje |
24-09-2020 - 13:46 |
| Objavljeno |
17-09-2020 - 17:15 |
