GFI MailEssentials Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in GFI MailEssentials versions prior to 21.8. This issue allows a local attacker to escalate privileges to NT Authority/SYSTEM by sending a crafted serialized payload to a .NET Remoting Service. The vulnerability arises from the use of the 'BinaryFormatter' for deserialization, which can be exploited to execute arbitrary code with elevated privileges.

Impact

Exploitation of this vulnerability leads to unauthorized privilege escalation, allowing a local user to gain SYSTEM-level access.

Reproduction

The vulnerability can be reproduced by creating a malicious serialized object using 'ysoserial.NET', which exploits the 'BinaryFormatter' deserialization. This object must be sent to the 'InstallClientCertificate' method of the 'MultiNodeConfigurationService' via a SOAP request. The 'PhishingKeywords' user control can be used to upload the serialized object, bypassing normal authentication checks.

Remediation

Users are advised to upgrade to GFI MailEssentials version 21.8 or later, where this vulnerability has been addressed.