SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail 'chpasswd' Buffer Overflow Yields Root Privileges to Local Users
SecurityTracker Alert ID:  1009860
SecurityTracker URL:  http://securitytracker.com/id/1009860
CVE Reference:   CVE-2004-0524   (Links to External Site)
Updated:  Jun 8 2004
Original Entry Date:  Apr 19 2004
Impact:   Execution of arbitrary code via local system, Root access via local system


Description:   A vulnerability was reported in the SquirrelMail change_password plugin. A local user can execute arbitrary commands with elevated privileges.

Matias Neiff reported that the 'chpasswd' binary is configured with set user id (setuid) root user privileges and contains a buffer overflow. A local user can execute commands with root privileges, the report said.

A demonstration exploit transcript using an undisclosed exploit is provided in the Source Message.

Impact:   A local user can execute commands with root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 28 2004 (Vendor Issues Fix) SquirrelMail 'chpasswd' Buffer Overflow Yields Root Privileges to Local Users
The vendor has issued a fix.



 Source Message Contents

Subject:  Squirrelmail Chpasswod bof


Hi all

There is a boffer over flow in the chpasswd binary, distributed with the 
plugin. This allow to local's user to execute commands as a root.
---:::Prott:::---
root@orco:/mnt/hosting/hack/bof# su webmaster
webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
Using address: 0xbfffe325
bash-2.05b$ ./chpasswd $RET asdf asdf
The new password is equal to old password. Choose another password.
sh-2.05b# id
uid=0(root) gid=3(sys) groups=500(webmaster)
sh-2.05b#
---:::end:::---

Bye all

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC