Advisory Details

July 26th, 2013

(0Day) PineApp Mail-SeCure confpremenu.php Export Log Remote Code Execution Vulnerability

ZDI-13-187
ZDI-CAN-1887

CVE ID
CVSS SCORE 10.0, AV:N/AC:L/Au:N/C:C/I:C/A:C
AFFECTED VENDORS PineApp
AFFECTED PRODUCTS Mail-SeCure
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of PineApp Mail-SeCure. Authentication is not required to exploit this vulnerability.

The specific flaw exists with input sanitization in the confpremenu.php component. This flaw allows for the injection of arbitrary commands to the Mail-SeCure server. An attacker could leverage this vulnerability to execute arbitrary code as root.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.

Vendor Contact Timeline:
May 16, 2013:
- First email sent to PineApp
May 22, 2013:
- Second email sent to PineApp
May 24, 2013:
- Phone call placed to PineApp
June 11, 2013:
- Phone call placed to PineApp
June 21, 2013:
- Third email sent to PineApp
July 26, 2013:
- Vulnerability advisory published

-- Mitigation:
Given the requirements for users to have access to their email, and given the nature of the vulnerabilities discovered in the PineApp Mail-SeCure software, the only salient mitigation strategy is to restrict access to port 7443 of the PineApp device or VM to those machines which have a legitimate need to access the PineApp software directly. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. For systems running Microsoft Windows, these features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.


DISCLOSURE TIMELINE
  • 2013-05-16 - Vulnerability reported to vendor
  • 2013-07-26 - Coordinated public release of advisory
CREDIT Dave Weinstein, HP Zero Day Initiative
BACK TO ADVISORIES