| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mudge at uidzero.org (mudge)
Subject: Bugtraq Security Systems XMAS Advisory 0001
I have to admit that I'm confused. To the best of my knowledge I was
never contacted with regards to anything relating squirrel mail, nor do
I have any affiliation or association with the squirrelmail team or
their product. Perhaps this is something OSX related? If that's so you
might want to do a rockin' advisory around this.
The reference to black v white hat also has me perplexed as it seems to
be in part directed towards myself. Not following the relevance to the
advisory being put aside, I always preferred the term grey-hat for
similar reasons to those you mention. Who has ever lived in a black and
white world?
If I'm missing something (quite possible) in regards to an issue I am
in a situation to help improve please drop me a note.
cheers,
.mudge
PS - thanks for the 'rock-star' label... but if that's the case my
question is: "where are all the beautiful groupies?"
On Dec 24, 2003, at 2:52 PM, Bugtraq Security Systems wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bugtraq Security Systems, Incorporated
> www.bugtraq.org
>
> Security Advisory
>
> Advisory Name: Command Injection Issue in Squirrelmail
> Release Date: 12/24/2003
> Application: Squirrelmail
> Platform: Linux (IA32)
> Linux (sparc)
> Linux (sparc64)
> Linux (hppa)
> Linux (ppc)
> Linux (xbox)
> Linux (IA64)
> SUN Solaris (IA32)
> SUN Solaris (sparc)
> SUN Solaris (sparc64)
> OpenBSD (386)
> FreeBSD (386)
> SCO OpenServer (All versions)
> HPUX (hppa)
> HPUX (IA64)
> QNX
> Compaq True64
> Microsoft Windows NT (Alpha)
> Microsoft Windows NT (IA32)
> Severity: Flaw in input validation allows execution
> of arbitrary commands as the Apache user.
> Author: The Bugtraq Team, Collectively [bugtraq@...traq.org]
> Vendor Status: Patches pending.
> CVE Candidate: CAN-2003-0990 - Squirrelmail input validation flaw
> Reference: www.bugtraq.org/advisories/bssadv0002.txt
>
>
> Overview:
> .-. MERRY X-MAS .~~~.
> .;;;;. ( ^_> / whitehat. (\__/) .' )
> <;<; \;>\ ! \ /o o \/ .~
> <;<; '-.>) \ {o_, \ {
> <;<; <'=. | / , , ) \
> <;<; '- / `~ '-' \ }
> <;,\.\--'` _( ( )_.'
> `==`== '---..{____}
>
>
> SquirrelMail is a standards-based webmail package written in PHP4. It
> includes built-in pure PHP support for the IMAP and SMTP protocols,
> and all pages render in pure HTML 4.0 (with no JavaScript required)
> for maximum compatibility across browsers. It has very few
> requirements and is very easy to configure and install. SquirrelMail
> has all the functionality you would want from an email client,
> including strong MIME support, address books, and folder manipulation.
>
> It should also be noted that the internet security rock-star Mudge,
> along with several other famed w00w00 members, uses Squirrelmail. We
> at Bugtraq Security Systems would expect more proactive auditing of
> basic infrastructure used by famed black-hat[1] hackers such as Mudge,
> or Weld Pond a.k.a. "Chris Wysopal".
>
> Once the vulnerability has been exploited, access to the affected
> machine as the Apache user is gained. This allows an attacker to
> co-opt the web site, and the Squirrelmail instance. For example, it is
> easy to sniff e-mail and obtain usernames and passwords for
> Squirrelmail users, which are identical to their login usernames and
> passwords, in most cases.
>
>
> [1] Out of curiosity, if you break the law, for example, by speeding
> in your car, or by taking illegal drugs, but have not yet been caught
> at actually hacking into a computer, do you consider yourself to be a
> black-hat or a white-hat? Does the color of your hat apply just to
> your behavior at a keyboard, or does your behavior in real life also
> relate? At what point do you lose your ability to label others as
> responsible or not? We at Bugtraq Security Systems find these
> rhetorical questions funny. We also find it gut-bustingly hilarious
> when drug addicts become volcanos of hypocrisy, spouting off at every
> new "blackhat" antic that comes to light. You don't see "Blackhats
> Against Crystal Meth" lobbying congress, do you?
>
>
> Details:
>
> The pictures located at http://www.bugtraq.org/images/demo1.png and
> http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
> Security Systems software analysis platform. This product, BSS Data
> Tracer, allows a software security analysis team to perform automated
> checks against many common types of vulnerabilities in both binary and
> source code targets.
>
> As the screen shots referenced above show, this product can save
> thousands of hours of testing and analysis, providing a significant
> return on investment for software development groups. It uses
> "tainting" technology which applies data-flow analysis rules to
> variables within the program. If a "tainted" variable reaches a
> vulnerable API call, such as exec, system, or strcpy, then that place
> is marked. A report is then generated for the perusal of security
> staff. It should be noted that Bugtraq Security Systems Data Tracer is
> a "static analysis" tool, and does not require the program to be
> installed or run.
>
> Bugtraq Security Systems has run the beta version of Data Tracer
> against many WebMail systems. Most have vulnerabilities similar to the
> one recorded in the images above. This particular example is within
> the GPG subsystem of Squirrelmail, often installed by security
> "experts" who in actuality have the information security knowledge of
> cat food.
>
> Adding a ";command;" to the To: line of a newly created e-mail and
> then clicking "encrypt now" will execute the command as the Apache
> user on recent versions of Squirrelmail, including the current CVS
> version. Example:
>
> To: ;echo "YO, dudes. Static analysis ain't rocket science." >>
> /tmp/message;
> <click encrypt now to execute!>
>
>
>
>
> Vendor Response:
>
> Bugtraq Security have attempted to contact the vendor multiple times
> since the discovery of these vulnerabilities without success. In
> addition, after contacting Weld Pond and Pieter Mudge Zatko directly
> via #w00w00 about their vulnerability to this issue, we were rebuffed
> for not taking Microsoft-approved measures and first releasing a
> press-release regarding our discoveries so we could profit from them,
> l0pht-style, and worm our way into Congressional meetings on unrelated
> topics where we could brag unnecessarally about our ability to shut
> down the Internet, when in fact, we[2] often have problems shutting
> down our Windows 2003 partition on our laptops due to the many kernel
> trojans competing for time on them.
>
>
> [2] Weld and Mudge, obviously. Bugtraq Security Systems uses only
> QNX. We're realtime like that.
>
> ThreatCon:
>
> The release of this information and the potential for worms based on
> proof-of-concept exploits increases the Global ThreatCon Level to an
> index of 8/13 (more dangerous than normal) level. We hope that
> Squirrelmail and #w00w00 members Mudge, Weld Pond and Jonathan Wilkins
> will address these issues in important global internet security
> infrastructure as soon as possible. Remember, it's not responsible
> disclosure to paste their passwords and mail spools into random efnet
> channels. Bugtraq Security Systems also does not approve of replacing
> tarballs on random open-source code repositories with your findings.
>
> If you have any questions regarding the Global ThreatCon, please visit
> http://www.bugtraq.org/threatcon.html
>
>
>
> Recommendation:
>
> Disable the GPG plugin to Squirrelmail until a patch can be provided.
>
>
> Bugtraq Data Tracer:
>
> Requests to get on the early beta release list for BSS Data Tracer can
> be sent to bugtraq@...traq.org. Please include a name, contact email,
> phone number, address, and the hours in which you can be reached. A
> sales executive will contact you shortly.
>
>
> Common Vulnerabilities and Exposures (CVE) Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues. These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
>
> CAN-2003-0990 - Squirrelmail input validation flaw
>
>
> Bugtraq Security Systems Vulnerability Reporting Policy:
> http://www.bugtraq.org/research/policy/
>
> Bugtraq Security Systems Advisory Archive:
> http://www.bugtraq.org/advisories.html
>
> Bugtraq Security Systems PGP Key:
> http://www.bugtraq.org/pgp_key.asc
>
>
> Bugtraq Security Systems is currently seeking application security
> experts to fill several consulting positions. Applicants should have
> strong application development skills and be able to perform
> application security design reviews, code reviews, and application
> penetration testing. Please send resumes to jobs@...traq.org
>
> Copyright 2003 Bugtraq Security Systems. All rights reserved.
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE/6evTd3IqHnpF3voRAtihAJ4kghGpu1jpsje9uSEA9Rr+mG7RnQCfZesd
> eYvxW+uzHDF7MP5GKO1b3RI=
> =wEzP
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists