Advisory Details

July 26th, 2013

(0Day) PineApp Mail-SeCure test_li_connection.php Remote Code Execution Vulnerability

ZDI-13-188
ZDI-CAN-1886

CVE ID
CVSS SCORE 10.0, AV:N/AC:L/Au:N/C:C/I:C/A:C
AFFECTED VENDORS PineApp
AFFECTED PRODUCTS Mail-SeCure
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of PineApp Mail-SeCure. Authentication is not required to exploit this vulnerability.

The specific flaw exists with input sanitization in the test_li_connection.php component. This flaw allows for the injection of arbitrary commands to the Mail-SeCure server. An attacker could leverage this vulnerability to execute arbitrary code as root.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.

Vendor Contact Timeline:
May 16, 2013:
- First email sent to PineApp
May 22, 2013:
- Second email sent to PineApp
May 24, 2013:
- Phone call placed to PineApp
June 11, 2013:
- Phone call placed to PineApp
June 21, 2013:
- Third email sent to PineApp
July 26, 2013:
- Vulnerability advisory published

-- Mitigation:
Given the requirements for users to have access to their email, and given the nature of the vulnerabilities discovered in the PineApp Mail-SeCure software, the only salient mitigation strategy is to restrict access to port 7443 of the PineApp device or VM to those machines which have a legitimate need to access the PineApp software directly. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. For systems running Microsoft Windows, these features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.


DISCLOSURE TIMELINE
  • 2013-05-16 - Vulnerability reported to vendor
  • 2013-07-26 - Coordinated public release of advisory
CREDIT Dave Weinstein, HP Zero Day Initiative
BACK TO ADVISORIES