lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <A016DA88-365F-11D8-BD67-000393A48C4A@uidzero.org>
From: mudge at uidzero.org (mudge)
Subject: Bugtraq Security Systems XMAS Advisory 0001

I have to admit that I'm confused. To the best of my knowledge I was 
never contacted with regards to anything relating squirrel mail, nor do 
I have any affiliation or association with the squirrelmail team or 
their product. Perhaps this is something OSX related? If that's so you 
might want to do a rockin' advisory around this.

The reference to black v white hat also has me perplexed as it seems to 
be in part directed towards myself. Not following the relevance to the 
advisory being put aside, I always preferred the term grey-hat for 
similar reasons to those you mention. Who has ever lived in a black and 
white world?

If I'm missing something (quite possible) in regards to an issue I am 
in a situation to help improve please drop me a note.

cheers,

.mudge

PS - thanks for the 'rock-star' label... but if that's the case my 
question is: "where are all the beautiful groupies?"

On Dec 24, 2003, at 2:52 PM, Bugtraq Security Systems wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 	        Bugtraq Security Systems, Incorporated
>  			    www.bugtraq.org
>
>                            Security Advisory
>
> Advisory Name: Command Injection Issue in Squirrelmail
>  Release Date: 12/24/2003
>   Application: Squirrelmail
>      Platform: Linux (IA32)
>                Linux (sparc)
> 	       Linux (sparc64)
> 	       Linux (hppa)
> 	       Linux (ppc)
> 	       Linux (xbox)
> 	       Linux (IA64)
> 	       SUN Solaris (IA32)
> 	       SUN Solaris (sparc)
> 	       SUN Solaris (sparc64)
> 	       OpenBSD (386)
> 	       FreeBSD (386)
> 	       SCO OpenServer (All versions)
>                HPUX (hppa)
> 	       HPUX (IA64)
> 	       QNX
>                Compaq True64
> 	       Microsoft Windows NT (Alpha)
> 	       Microsoft Windows NT (IA32)
>      Severity: Flaw in input validation allows execution
>                of arbitrary commands as the Apache user.
>        Author: The Bugtraq Team, Collectively  [bugtraq@...traq.org]
> Vendor Status: Patches pending.
> CVE Candidate: CAN-2003-0990 - Squirrelmail input validation flaw
>     Reference: www.bugtraq.org/advisories/bssadv0002.txt
>
>
> Overview:
>           .-.  MERRY X-MAS                      .~~~.
>   .;;;;. ( ^_> /           whitehat.  (\__/)  .'     )
>  <;<;  \;>\ !                       \ /o o  \/     .~
> <;<;   '-.>) \                       {o_,    \    {
> <;<; <'=.    |                         / ,  , )    \
>  <;<; '-     /                         `~  '-' \    }
>    <;,\.\--'`                         _(    (   )_.'
>       `==`==                         '---..{____}
>
>
> SquirrelMail is a standards-based webmail package written in PHP4. It
> includes built-in pure PHP support for the IMAP and SMTP protocols,
> and all pages render in pure HTML 4.0 (with no JavaScript required)
> for maximum compatibility across browsers. It has very few
> requirements and is very easy to configure and install. SquirrelMail
> has all the functionality you would want from an email client,
> including strong MIME support, address books, and folder manipulation.
>
> It should also be noted that the internet security rock-star Mudge,
> along with several other famed w00w00 members, uses Squirrelmail. We
> at Bugtraq Security Systems would expect more proactive auditing of
> basic infrastructure used by famed black-hat[1] hackers such as Mudge,
> or Weld Pond a.k.a. "Chris Wysopal".
>
> Once the vulnerability has been exploited, access to the affected
> machine as the Apache user is gained. This allows an attacker to
> co-opt the web site, and the Squirrelmail instance. For example, it is
> easy to sniff e-mail and obtain usernames and passwords for
> Squirrelmail users, which are identical to their login usernames and
> passwords, in most cases.
>
>
> [1] Out of curiosity, if you break the law, for example, by speeding
> in your car, or by taking illegal drugs, but have not yet been caught
> at actually hacking into a computer, do you consider yourself to be a
> black-hat or a white-hat?  Does the color of your hat apply just to
> your behavior at a keyboard, or does your behavior in real life also
> relate? At what point do you lose your ability to label others as
> responsible or not? We at Bugtraq Security Systems find these
> rhetorical questions funny. We also find it gut-bustingly hilarious
> when drug addicts become volcanos of hypocrisy, spouting off at every
> new "blackhat" antic that comes to light. You don't see "Blackhats
> Against Crystal Meth" lobbying congress, do you?
>
>
> Details:
>
> The pictures located at http://www.bugtraq.org/images/demo1.png and
> http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
> Security Systems software analysis platform. This product, BSS Data
> Tracer, allows a software security analysis team to perform automated
> checks against many common types of vulnerabilities in both binary and
> source code targets.
>
> As the screen shots referenced above show, this product can save
> thousands of hours of testing and analysis, providing a significant
> return on investment for software development groups. It uses
> "tainting" technology which applies data-flow analysis rules to
> variables within the program. If a "tainted" variable reaches a
> vulnerable API call, such as exec, system, or strcpy, then that place
> is marked. A report is then generated for the perusal of security
> staff. It should be noted that Bugtraq Security Systems Data Tracer is
> a "static analysis" tool, and does not require the program to be
> installed or run.
>
> Bugtraq Security Systems has run the beta version of Data Tracer
> against many WebMail systems. Most have vulnerabilities similar to the
> one recorded in the images above. This particular example is within
> the GPG subsystem of Squirrelmail, often installed by security
> "experts" who in actuality have the information security knowledge of
> cat food.
>
> Adding a ";command;" to the To: line of a newly created e-mail and
> then clicking "encrypt now" will execute the command as the Apache
> user on recent versions of Squirrelmail, including the current CVS
> version. Example:
>
> To: ;echo "YO, dudes. Static analysis ain't rocket science." >> 
> /tmp/message;
> <click encrypt now to execute!>
>
>
>
>
> Vendor Response:
>
> Bugtraq Security have attempted to contact the vendor multiple times
> since the discovery of these vulnerabilities without success. In
> addition, after contacting Weld Pond and Pieter Mudge Zatko directly
> via #w00w00 about their vulnerability to this issue, we were rebuffed
> for not taking Microsoft-approved measures and first releasing a
> press-release regarding our discoveries so we could profit from them,
> l0pht-style, and worm our way into Congressional meetings on unrelated
> topics where we could brag unnecessarally about our ability to shut
> down the Internet, when in fact, we[2] often have problems shutting
> down our Windows 2003 partition on our laptops due to the many kernel
> trojans competing for time on them.
>
>
> [2] Weld and Mudge, obviously. Bugtraq Security Systems uses only
> QNX. We're realtime like that.
>
> ThreatCon:
>
> The release of this information and the potential for worms based on
> proof-of-concept exploits increases the Global ThreatCon Level to an
> index of 8/13 (more dangerous than normal) level.  We hope that
> Squirrelmail and #w00w00 members Mudge, Weld Pond and Jonathan Wilkins
> will address these issues in important global internet security
> infrastructure as soon as possible. Remember, it's not responsible
> disclosure to paste their passwords and mail spools into random efnet
> channels.  Bugtraq Security Systems also does not approve of replacing
> tarballs on random open-source code repositories with your findings.
>
> If you have any questions regarding the Global ThreatCon, please visit
> 	http://www.bugtraq.org/threatcon.html
>
>
>
> Recommendation:
>
> Disable the GPG plugin to Squirrelmail until a patch can be provided.
>
>
> Bugtraq Data Tracer:
>
> Requests to get on the early beta release list for BSS Data Tracer can
> be sent to bugtraq@...traq.org. Please include a name, contact email,
> phone number, address, and the hours in which you can be reached. A
> sales executive will contact you shortly.
>
>
> Common Vulnerabilities and Exposures (CVE) Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues.  These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
>
> 	CAN-2003-0990 - Squirrelmail input validation flaw
>
>
> Bugtraq Security Systems Vulnerability Reporting Policy:
> 	http://www.bugtraq.org/research/policy/
>
> Bugtraq Security Systems Advisory Archive:
> 	http://www.bugtraq.org/advisories.html
>
> Bugtraq Security Systems PGP Key:
> 	http://www.bugtraq.org/pgp_key.asc
>
>
> Bugtraq Security Systems is currently seeking application security
> experts to fill several consulting positions.  Applicants should have
> strong application development skills and be able to perform
> application security design reviews, code reviews, and application
> penetration testing.  Please send resumes to jobs@...traq.org
>
> Copyright 2003 Bugtraq Security Systems. All rights reserved.
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE/6evTd3IqHnpF3voRAtihAJ4kghGpu1jpsje9uSEA9Rr+mG7RnQCfZesd
> eYvxW+uzHDF7MP5GKO1b3RI=
> =wEzP
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ