Rapid7 Vulnerability & Exploit Database

Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write

Back to Search

Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write

Disclosed
10/01/2015
Created
02/20/2020

Description

This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. For this exploitation method, bash completion must be enabled to gain code execution. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.

Author(s)

  • Palaczynski Jakub
  • Matthew Aberegg
  • Michael Burkey

Platform

Linux

Architectures

x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/smtp/apache_james_exec
msf exploit(apache_james_exec) > show targets
    ...targets...
msf exploit(apache_james_exec) > set TARGET < target-id >
msf exploit(apache_james_exec) > show options
    ...show and set options...
msf exploit(apache_james_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;