CVE-2020-24045
Description
A sandbox escape in TitanHQ SpamTitan Gateway 7.07 allows an admin to gain root code execution by mounting a malicious VMware Tools ISO.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A sandbox escape in TitanHQ SpamTitan Gateway 7.07 allows an admin to gain root code execution by mounting a malicious VMware Tools ISO.
Vulnerability
A sandbox escape vulnerability exists in TitanHQ SpamTitan Gateway version 7.07. The product limits the admin user to a restricted shell (a Perl script), allowing only a small number of operating system tools. The restricted shell can be bypassed by presenting a fake VMware Tools ISO image to the guest virtual machine running SpamTitan Gateway. The ISO image must contain a valid Perl script at the path vmware-freebsd-tools/vmware-tools-distrib/vmware-install.pl. When the hidden option to install VMware Tools is selected from the main menu (option 5), the fake ISO is mounted and the script is executed with super-user privileges [2].
Exploitation
An attacker with administrative access to the restricted shell can prepare a malicious ISO image containing an arbitrary Perl script at the specified path. By selecting the VMware Tools installation option in the main menu, the ISO is mounted and the script is executed as root. The attacker does not require any additional authentication or network access beyond the initial administrative console [2].
Impact
Successful exploitation allows the attacker to execute arbitrary Perl code with root privileges, effectively escaping the restricted shell. This can lead to full compromise of the SpamTitan Gateway appliance, including the ability to install backdoors, modify system files, and access sensitive data [2].
Mitigation
No official fix was identified in the available references. Users should consider upgrading to a patched version if one becomes available, or restrict access to the administrative console and monitor the appliance for unusual activity. The vendor's website may provide updates [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TitanHQ/SpamTitan Gatewaydescription
- Range: = 7.07
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The restricted shell's hidden option 5 mounts a CD and executes an arbitrary script at a fixed path as root without any integrity or origin checks."
Attack vector
An attacker with local access to the SpamTitan Gateway VM crafts a fake VMware Tools ISO image containing a malicious Perl script at the path `vmware-freebsd-tools/vmware-tools-distrib/vmware-install.pl` [ref_id=1]. The attacker mounts this ISO as the virtual CD drive of the SpamTitan VM. When the admin selects hidden option 5 from the restricted shell's main menu, the appliance mounts the ISO and executes the attacker's script as root, giving the attacker a root shell or backdoor [ref_id=1]. No authentication on the web interface is required for this path.
Affected code
The restricted shell is implemented in `/usr/local/bin/stconsole`, a Perl script that presents a limited menu to the admin user. A hidden option (number 5) in that script invokes a function that mounts a CD drive and executes `/tmp/vmware-tools/distrib/vmware-install.pl` with super-user privileges [ref_id=1]. No patch is included in the bundle.
What the fix does
The bundle does not include a patch or vendor advisory describing a fix. The researcher's write-up identifies the root cause: the hidden option in `/usr/local/bin/stconsole` blindly executes any script at a hard-coded path from a mounted CD as root [ref_id=1]. A proper fix would require either removing the hidden option, validating the origin and integrity of the mounted script before execution, or dropping privileges before running external scripts from removable media.
Preconditions
- networkAttacker must have local access to the SpamTitan Gateway VM (e.g., via the hypervisor console) to mount a custom ISO as the virtual CD drive.
- inputThe restricted shell's hidden option 5 must be selectable by an admin user at the console.
Reproduction
1. Create a Perl reverse shell script and name it `vmware-install.pl`. Place it inside a directory tree at `vmware-freebsd-tools/vmware-tools-distrib/vmware-install.pl`. 2. Use `genisoimage` to build an ISO image from that directory tree. 3. Mount the crafted ISO as the virtual CD drive of the SpamTitan VM. 4. Log into the SpamTitan console as admin and select hidden option 5 from the main menu. The script executes as root, providing a reverse shell [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- sensepost.com/blog/2020/clash-of-the-spamtitan/mitrex_refsource_MISC
- twitter.com/felmoltormitrex_refsource_MISC
- www.titanhq.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.