SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
(Vendor Issues Fix) SquirrelMail 'chpasswd' Buffer Overflow Yields Root Privileges to Local Users
SecurityTracker Alert ID:  1009965
SecurityTracker URL:  http://securitytracker.com/id/1009965
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 28 2004
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to plugin version 4.0
Description:   A vulnerability was reported in the SquirrelMail change_password plugin. A local user can execute arbitrary commands with elevated privileges.

Matias Neiff reported that the 'chpasswd' binary is configured with set user id (setuid) root user privileges and contains a buffer overflow. A local user can execute commands with root privileges, the report said.

A demonstration exploit transcript using an undisclosed exploit is provided in the Source Message.

Impact:   A local user can execute commands with root privileges.
Solution:   A fixed version (version 4.0 of the plugin) is available at:

http://www.squirrelmail.org/plugin_view.php?id=117

Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 19 2004 SquirrelMail 'chpasswd' Buffer Overflow Yields Root Privileges to Local Users



 Source Message Contents

Subject:  Re: Squirrelmail Chpasswod bof


All,

   Replying to this thread using the web interface didn't seem to work 
at all, so...  Please excuse me effectively starting the thread over, 
but wanted to make sure a follow-up got posted to the list.  See:

http://www.securityfocus.com/archive/1/360547/2004-04-14/2004-04-20/2

 > Hi all
 >
 > There is a boffer over flow in the chpasswd binary, distributed with
 > the plugin. This allow to local's user to execute commands as a root.

   This problem (and several others that were really needing to be 
fixed) has been resolved and a new version of this plugin is available 
at the link below.  Obviously, it is highly recommended that anyone 
using this plugin upgrade immediately.

http://www.squirrelmail.org/plugin_view.php?id=117

   Matias, next time please contact the plugin authors, any of the 
SquirrelMail mailing lists, SquirrelMail IRC, or other SquirrelMail 
developers before posting.

Thanks,

   Paul


 > ---:::Prott:::---
 > root@orco:/mnt/hosting/hack/bof# su webmaster
 > webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
 > Using address: 0xbfffe325
 > bash-2.05b$ ./chpasswd $RET asdf asdf
 > The new password is equal to old password. Choose another password.
 > sh-2.05b# id
 > uid=0(root) gid=3(sys) groups=500(webmaster)
 > sh-2.05b#
 > ---:::end:::---
 >
 > Bye all

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC