CVE-2020-24046

Name of the Vulnerable Software and Affected Versions TitanHQ SpamTitan Gateway version 7.07

Description A sandbox escape issue allows an authenticated attacker to bypass the restricted shell and gain root access. The restricted shell limits the admin user to executing a small number of tools. However, by abusing the Backup/Import Backup functionality in the web interface, an attacker can modify the /etc/passwd file, which is not directly accessible through the restricted shell. The attacker can obtain the /var/tmp/admin.passwd file after executing a Backup operation, manually modify it to change the user's GUID to 0 (root) and the shell to /bin/sh, and then re-import it. This results in the admin user being granted a root shell upon the next successful login.

Recommendations For TitanHQ SpamTitan Gateway version 7.07, consider disabling the Backup/Import Backup functionality until a patch is available to prevent abuse of this feature and restrict access to the /var/tmp/admin.passwd file to minimize the risk of exploitation.