[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Squirrelmail Chpasswod bof
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Squirrelmail Chpasswod bof
- From: Peter Geissler <blasty@xxxxxxxx>
- Date: 19 Apr 2004 09:16:45 -0000
In-Reply-To: <200404170420.32857.matias@xxxxxxxxxxxx>
Hi,
Did u drink to much when writing this `advisory'? No seriously, you even made a
typo in the title of your thread!
did you inform the people at Squirrelmail about this? I located the exact vuln
in chpasspwd.c:
----
char User[STR_MAX];
char New_pw[50];
char Old_pw[50];
..
sprintf(User,"%s",argv[1]);
sprintf(Old_pw,"%s",argv[2]);
sprintf(New_pw,"%s",argv[3]);
---
STR_MAX has a value of 100. So as you probably already have seen there occurs a
stack based overflow when user, old_pw or new_pw is filled with to much bytes
(which come from argv[], commandline). In your `exploitation example' you used
local rights to exploits this. However, I think it's also possible to exploit
without shell access, using the squirrelmail webinterface itself. I'm at work
right now, but when I'm home I'll be looking into creating a PoC exploit for
this one.
Best regards,
Peter "blasty" Geissler
P.S. The version of the chpasswd plugin found on the squirrelmail/SF page is
still vulnerable to this bug, so I doubt you informed the people at
squirrelmail..
>Received: (qmail 32672 invoked from network); 17 Apr 2004 18:56:45 -0000
>Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com)
>(205.206.231.26)
> by mail.securityfocus.com with SMTP; 17 Apr 2004 18:56:45 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id 5F4D9145D46; Sat, 17 Apr 2004 20:47:01 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 9581 invoked from network); 17 Apr 2004 01:13:14 -0000
>From: Matias Neiff <matias@xxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Squirrelmail Chpasswod bof
>Date: Sat, 17 Apr 2004 04:20:26 -0300
>User-Agent: KMail/1.5.4
>Organization: Pulso
>MIME-Version: 1.0
>Content-Type: Text/Plain;
> charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>Content-Description: clearsigned data
>Content-Disposition: inline
>Message-Id: <200404170420.32857.matias@xxxxxxxxxxxx>
>
>Hi all
>
>There is a boffer over flow in the chpasswd binary, distributed with the=20
>plugin. This allow to local's user to execute commands as a root.
>=2D--:::Prott:::---
>root@orco:/mnt/hosting/hack/bof# su webmaster
>webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
>Using address: 0xbfffe325
>bash-2.05b$ ./chpasswd $RET asdf asdf
>The new password is equal to old password. Choose another password.
>sh-2.05b# id
>uid=3D0(root) gid=3D3(sys) groups=3D500(webmaster)
>sh-2.05b#
>=2D--:::end:::---
>
>Bye all
>
>