Re: SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692)

[Dimitrios Glynos <dimitris () census-labs com>]

On 25/04/2017 11:56 μμ, Stuart Gathman wrote:
> On 04/24/2017 05:14 PM, Dawid Golunski wrote:
> > SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692)
> >
> > Desc.:
> > SquirrelMail is affected by a critical Remote Code Execution vulnerability
> > which stems from insufficient escaping of user-supplied data when
> > SquirrelMail has been configured with Sendmail as the main transport.
> > An authenticated attacker may be able to exploit the vulnerability
> > to execute arbitrary commands on the target and compromise the remote
> > system.
> We deploy squirrelmail NOT using sendmail for sending mail ($useSendmail
> = false).  There is no reason not to use SMTP instead of running
> sendmail directly.  It doesn't seem to be vulnerable that way - and I
> suggest that as a mitigation.  Just to be sure, after reading this
> advisory I added  $sendmail_path  = '/usr/sbin/false'; (We always avoid
> direct command execution with PHP because PHP is prone to quoting bugs.) 
>
> OT: is there already a utility that *safely* logs arguments and stdin
> (as was apparently used to explain the exploit)?  I could write a C
> prog, or a carefully quoted bash script - but would rather use an
> already proven utility.

For execve logging (just arguments) see 'snoopy'. It catches exec
calls using LDPRELOAD, so it misses them only if the calls are
made from a static binary (which I don't believe php or sendmail
are).

HTH,

Dimitris