module
SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
| Disclosed | Created |
|---|---|
| 04/17/2019 | 07/11/2023 |
Disclosed
04/17/2019
Created
07/11/2023
Description
This module exploits a vulnerability in the SmarterTools SmarterMail
software for version numbers The vulnerable versions and builds expose three .NET remoting endpoints
on port 17001, namely /Servers, /Mail and /Spool. For example, a
typical installation of SmarterMail Build 6970 will have the /Servers
endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where
serialized .NET commands can be sent through a TCP socket connection.
The three endpoints perform deserialization of untrusted data
(CVE-2019-7214), allowing an attacker to send arbitrary commands
to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution
for any unauthenticated user under the context of the SYSTEM account.
Successful exploitation results in full administrative control of the
target server under the NT AUTHORITY\SYSTEM account.
This vulnerability was patched in Build 6985, where the 17001 port is
no longer publicly accessible, although it can be accessible locally
at 127.0.0.1:17001. Hence, this would still allow for a privilege
escalation vector if the server is compromised as a low-privileged user.
software for version numbers The vulnerable versions and builds expose three .NET remoting endpoints
on port 17001, namely /Servers, /Mail and /Spool. For example, a
typical installation of SmarterMail Build 6970 will have the /Servers
endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where
serialized .NET commands can be sent through a TCP socket connection.
The three endpoints perform deserialization of untrusted data
(CVE-2019-7214), allowing an attacker to send arbitrary commands
to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution
for any unauthenticated user under the context of the SYSTEM account.
Successful exploitation results in full administrative control of the
target server under the NT AUTHORITY\SYSTEM account.
This vulnerability was patched in Build 6985, where the 17001 port is
no longer publicly accessible, although it can be accessible locally
at 127.0.0.1:17001. Hence, this would still allow for a privilege
escalation vector if the server is compromised as a low-privileged user.
Authors
Soroush Dalili1F98DIsmail E. Dawoodjee
Platform
Windows
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/http/smartermail_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.