CVE-2020-24046
Description
Authenticated admin can escape restricted shell in SpamTitan Gateway 7.07 by manipulating backup files to gain root shell.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated admin can escape restricted shell in SpamTitan Gateway 7.07 by manipulating backup files to gain root shell.
Vulnerability
The vulnerability is a sandbox escape in TitanHQ SpamTitan Gateway version 7.07. The admin user is limited to a restricted shell, but the backup/import functionality allows modification of the /etc/passwd file indirectly. The vulnerability lies in the ability to export a backup that includes the file /var/tmp/admin.passwd, which can be manually altered to change the admin user's GUID to 0 (root) and the shell to /bin/sh, then reimported to overwrite the admin user properties. [2]
Exploitation
An authenticated attacker with admin access to the web interface can exploit this by performing a backup operation to obtain /var/tmp/admin.passwd. The attacker then modifies this file to set the admin user's GUID to 0 and the shell to /bin/sh. The file is recompressed into a .tar.bz archive and imported via the Import Backup functionality. Upon next login, the admin user is granted a root shell. [2]
Impact
Successful exploitation allows an authenticated admin to escape the restricted shell and gain a full root shell on the SpamTitan Gateway appliance. This results in complete compromise of the system, including full control over the operating system and all data processed by the appliance. [2]
Mitigation
TitanHQ has not released a specific patch for this vulnerability as of the publication date (2020-09-17). The vendor's website [1] does not mention a fix. Users should restrict access to the admin interface to trusted networks and monitor for unauthorized backup/import operations. Upgrading to a later version if available is recommended. [1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TitanHQ/SpamTitan Gatewaydescription
- Range: = 7.07
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Import Backup functionality does not validate or sanitize the UID, GID, or shell path in the imported admin.passwd file, allowing an authenticated attacker to escalate privileges to root."
Attack vector
An authenticated attacker uses the web interface's Backup feature to export a `.tar.bz2` archive containing the file `/var/tmp/admin.passwd`. The attacker extracts the archive, edits `admin.passwd` to change the admin user's UID to `0` (root) and the login shell from `/usr/local/bin/stconsole` to `/bin/sh`, then recompresses the files into a `.tar.bz2` archive. The attacker imports the modified archive via the Import Backup functionality, which overwrites the admin user's properties in the system. On the next SSH or console login, the admin user is granted a root shell instead of the restricted console [ref_id=1].
Affected code
The vulnerability lies in the Backup/Import Backup functionality of the SpamTitan Gateway web interface. The backup process exports a file `/var/tmp/admin.passwd` that mirrors the `/etc/passwd` format, containing the admin user's password hash and restricted shell path `/usr/local/bin/stconsole`. The Import Backup feature restores this file without validating that critical user properties (UID, shell) have not been tampered with [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. The remediation guidance implied by the researcher is that the Import Backup functionality must validate that critical user properties (UID, GID, shell path) in the imported `admin.passwd` file have not been altered from their expected values, or that the backup/restore process should not allow modification of user account properties at all [ref_id=1]. No official patch is described in the supplied bundle.
Preconditions
- authAttacker must have valid credentials for the SpamTitan web interface (authenticated access)
- networkAttacker must have network access to the SpamTitan web interface
- configThe Backup and Import Backup features must be enabled and accessible to the authenticated user
Reproduction
1. Log into the SpamTitan Gateway web interface as an authenticated admin user. 2. Navigate to the Backup section and perform a Backup operation to download a `.tar.bz2` archive. 3. Extract the archive and locate the file `var/tmp/admin.passwd`. 4. Edit `admin.passwd`: change the UID field to `0` and the shell field from `/usr/local/bin/stconsole` to `/bin/sh`. 5. Re-compress the modified files into a `.tar.bz2` archive. 6. Use the Import Backup feature in the web interface to upload the modified archive. 7. Log out and log back in via SSH or console as the `admin` user — a root shell (`/bin/sh`) is granted instead of the restricted console [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- sensepost.com/blog/2020/clash-of-the-spamtitan/mitrex_refsource_MISC
- twitter.com/felmoltormitrex_refsource_MISC
- www.titanhq.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.