What are you looking for?
What are you looking for?
SmarterMail Build 6919 is affected by a critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2019-7214 , which stems from the deserialization of untrusted data The Core Vulnerability
In version 16.x and builds prior to 6985, SmarterMail exposes three .NET remoting endpoints on TCP port 17001 By default, these endpoints—specifically —are often exposed to the public at tcp://0.0.0.0:17001/Servers
. Because the application fails to properly validate data sent to these endpoints, an unauthenticated attacker can send serialized .NET commands via a TCP socket connection. Impact & Exploitation
Successful exploitation allows an unauthenticated user to execute arbitrary commands with SYSTEM-level privileges
(the highest level of administrative control on a Windows server). Exploit Availability : Public exploit code and a Metasploit module exploit/windows/http/smartermail_rce ) are widely available. Verification smartermail 6919 exploit
: Security researchers confirmed Build 6919 is vulnerable, while Build 6985 effectively mitigated the issue by making port 17001 accessible only locally (127.0.0.1). Exploit-DB Remediation : Immediately upgrade to Build 6985
or later. In newer versions, port 17001 is no longer publicly accessible. Workaround
: If upgrading is not possible, use a firewall to block all external traffic to TCP port 17001. or more information on the newer 2026 vulnerabilities currently being exploited in the wild? SmarterMail Build 6985 - Remote Code Execution - Exploit-DB 9 Dec 2020 —
SmarterTools has released a patch to address this vulnerability. Immediate action is required. SmarterMail Build 6919 is affected by a critical
Search your SmarterMail server for the following IoCs (Indicators of Compromise):
C:\inetpub\wwwroot\aspnet_client\ or C:\Program Files (x86)\SmarterTools\SmarterMail\WebRoot\ for .aspx or .ashx files not part of the official distribution. Check timestamps around the time of any service restart.SELECT * FROM Users WHERE IsAdmin = 1 against your SmarterMail database (usually a SQLite or MSSQL DB). Look for unknown admin users.netstat -ano to see if svchost.exe (or your SmarterMail process) is making outgoing connections to non-mail-related IPs (check Tor exit nodes or known mining pools).Logging\Service Logs folder for the exact phrase 6919. If present alongside a Process.Start event, assume compromise.Imagine a typical SmarterMail server humming along, processing thousands of legitimate email logins. An attacker scans the internet for exposed SmarterMail login portals (usually on port 80, 443, or 9998 for the admin interface).
Using a simple tool like curl or a Python script, the attacker sends a request that looks something like this (simplified for clarity):
POST /interface/Download.aspx?file=../../../Windows/Temp/shell.aspx HTTP/1.1 Host: targetmailserver.com Content-Type: application/x-www-form-urlencoded
data=<% System.Diagnostics.Process.Start("cmd.exe"); %>Remediation and Mitigation SmarterTools has released a patch
This request attempts to navigate up three directories (../../../) from the web root into the Windows temporary folder and write a file called shell.aspx. Because the server fails to validate the path, it complies. The attacker then visits https://targetmailserver.com/Temp/shell.aspx and now has a command prompt on the mail server itself.
Once inside, the attacker can:
If you were hit by this, don't blame the vendor entirely. Your defense-in-depth failed here:
w3wp.exe would have been blocked from executing cmd.exe. The RCE would have failed.User-Agent header for C# syntax.