lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: research at bugtraq.org (Bugtraq Security Systems)
Subject: Bugtraq Security Systems XMAS Advisory 0001

With interpretive art, the names are often just placeholders. Bugtraq
Security Systems requests that all the readers replace the names in this
advisory, including ours, with their own. Indeed, we exhort you to feel
that if you are not selling your integrity for stock options, not
pretending that each new bug found and fixed somehow makes the world a
better place, not sacrificing a sense of humor for a sense of importance,
that you are in fact, GOBBLES.

Yours Truly,
The Bugtraq Security Research Team


On Wed, 24 Dec 2003, mudge wrote:

>
> I have to admit that I'm confused. To the best of my knowledge I was
> never contacted with regards to anything relating squirrel mail, nor do
> I have any affiliation or association with the squirrelmail team or
> their product. Perhaps this is something OSX related? If that's so you
> might want to do a rockin' advisory around this.
>
> The reference to black v white hat also has me perplexed as it seems to
> be in part directed towards myself. Not following the relevance to the
> advisory being put aside, I always preferred the term grey-hat for
> similar reasons to those you mention. Who has ever lived in a black and
> white world?
>
> If I'm missing something (quite possible) in regards to an issue I am
> in a situation to help improve please drop me a note.
>
> cheers,
>
> .mudge
>
> PS - thanks for the 'rock-star' label... but if that's the case my
> question is: "where are all the beautiful groupies?"
>
> On Dec 24, 2003, at 2:52 PM, Bugtraq Security Systems wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > 	        Bugtraq Security Systems, Incorporated
> >  			    www.bugtraq.org
> >
> >                            Security Advisory
> >
> > Advisory Name: Command Injection Issue in Squirrelmail
> >  Release Date: 12/24/2003
> >   Application: Squirrelmail
> >      Platform: Linux (IA32)
> >                Linux (sparc)
> > 	       Linux (sparc64)
> > 	       Linux (hppa)
> > 	       Linux (ppc)
> > 	       Linux (xbox)
> > 	       Linux (IA64)
> > 	       SUN Solaris (IA32)
> > 	       SUN Solaris (sparc)
> > 	       SUN Solaris (sparc64)
> > 	       OpenBSD (386)
> > 	       FreeBSD (386)
> > 	       SCO OpenServer (All versions)
> >                HPUX (hppa)
> > 	       HPUX (IA64)
> > 	       QNX
> >                Compaq True64
> > 	       Microsoft Windows NT (Alpha)
> > 	       Microsoft Windows NT (IA32)
> >      Severity: Flaw in input validation allows execution
> >                of arbitrary commands as the Apache user.
> >        Author: The Bugtraq Team, Collectively  [bugtraq@...traq.org]
> > Vendor Status: Patches pending.
> > CVE Candidate: CAN-2003-0990 - Squirrelmail input validation flaw
> >     Reference: www.bugtraq.org/advisories/bssadv0002.txt
> >
> >
> > Overview:
> >           .-.  MERRY X-MAS                      .~~~.
> >   .;;;;. ( ^_> /           whitehat.  (\__/)  .'     )
> >  <;<;  \;>\ !                       \ /o o  \/     .~
> > <;<;   '-.>) \                       {o_,    \    {
> > <;<; <'=.    |                         / ,  , )    \
> >  <;<; '-     /                         `~  '-' \    }
> >    <;,\.\--'`                         _(    (   )_.'
> >       `==`==                         '---..{____}
> >
> >
> > SquirrelMail is a standards-based webmail package written in PHP4. It
> > includes built-in pure PHP support for the IMAP and SMTP protocols,
> > and all pages render in pure HTML 4.0 (with no JavaScript required)
> > for maximum compatibility across browsers. It has very few
> > requirements and is very easy to configure and install. SquirrelMail
> > has all the functionality you would want from an email client,
> > including strong MIME support, address books, and folder manipulation.
> >
> > It should also be noted that the internet security rock-star Mudge,
> > along with several other famed w00w00 members, uses Squirrelmail. We
> > at Bugtraq Security Systems would expect more proactive auditing of
> > basic infrastructure used by famed black-hat[1] hackers such as Mudge,
> > or Weld Pond a.k.a. "Chris Wysopal".
> >
> > Once the vulnerability has been exploited, access to the affected
> > machine as the Apache user is gained. This allows an attacker to
> > co-opt the web site, and the Squirrelmail instance. For example, it is
> > easy to sniff e-mail and obtain usernames and passwords for
> > Squirrelmail users, which are identical to their login usernames and
> > passwords, in most cases.
> >
> >
> > [1] Out of curiosity, if you break the law, for example, by speeding
> > in your car, or by taking illegal drugs, but have not yet been caught
> > at actually hacking into a computer, do you consider yourself to be a
> > black-hat or a white-hat?  Does the color of your hat apply just to
> > your behavior at a keyboard, or does your behavior in real life also
> > relate? At what point do you lose your ability to label others as
> > responsible or not? We at Bugtraq Security Systems find these
> > rhetorical questions funny. We also find it gut-bustingly hilarious
> > when drug addicts become volcanos of hypocrisy, spouting off at every
> > new "blackhat" antic that comes to light. You don't see "Blackhats
> > Against Crystal Meth" lobbying congress, do you?
> >
> >
> > Details:
> >
> > The pictures located at http://www.bugtraq.org/images/demo1.png and
> > http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
> > Security Systems software analysis platform. This product, BSS Data
> > Tracer, allows a software security analysis team to perform automated
> > checks against many common types of vulnerabilities in both binary and
> > source code targets.
> >
> > As the screen shots referenced above show, this product can save
> > thousands of hours of testing and analysis, providing a significant
> > return on investment for software development groups. It uses
> > "tainting" technology which applies data-flow analysis rules to
> > variables within the program. If a "tainted" variable reaches a
> > vulnerable API call, such as exec, system, or strcpy, then that place
> > is marked. A report is then generated for the perusal of security
> > staff. It should be noted that Bugtraq Security Systems Data Tracer is
> > a "static analysis" tool, and does not require the program to be
> > installed or run.
> >
> > Bugtraq Security Systems has run the beta version of Data Tracer
> > against many WebMail systems. Most have vulnerabilities similar to the
> > one recorded in the images above. This particular example is within
> > the GPG subsystem of Squirrelmail, often installed by security
> > "experts" who in actuality have the information security knowledge of
> > cat food.
> >
> > Adding a ";command;" to the To: line of a newly created e-mail and
> > then clicking "encrypt now" will execute the command as the Apache
> > user on recent versions of Squirrelmail, including the current CVS
> > version. Example:
> >
> > To: ;echo "YO, dudes. Static analysis ain't rocket science." >>
> > /tmp/message;
> > <click encrypt now to execute!>
> >
> >
> >
> >
> > Vendor Response:
> >
> > Bugtraq Security have attempted to contact the vendor multiple times
> > since the discovery of these vulnerabilities without success. In
> > addition, after contacting Weld Pond and Pieter Mudge Zatko directly
> > via #w00w00 about their vulnerability to this issue, we were rebuffed
> > for not taking Microsoft-approved measures and first releasing a
> > press-release regarding our discoveries so we could profit from them,
> > l0pht-style, and worm our way into Congressional meetings on unrelated
> > topics where we could brag unnecessarally about our ability to shut
> > down the Internet, when in fact, we[2] often have problems shutting
> > down our Windows 2003 partition on our laptops due to the many kernel
> > trojans competing for time on them.
> >
> >
> > [2] Weld and Mudge, obviously. Bugtraq Security Systems uses only
> > QNX. We're realtime like that.
> >
> > ThreatCon:
> >
> > The release of this information and the potential for worms based on
> > proof-of-concept exploits increases the Global ThreatCon Level to an
> > index of 8/13 (more dangerous than normal) level.  We hope that
> > Squirrelmail and #w00w00 members Mudge, Weld Pond and Jonathan Wilkins
> > will address these issues in important global internet security
> > infrastructure as soon as possible. Remember, it's not responsible
> > disclosure to paste their passwords and mail spools into random efnet
> > channels.  Bugtraq Security Systems also does not approve of replacing
> > tarballs on random open-source code repositories with your findings.
> >
> > If you have any questions regarding the Global ThreatCon, please visit
> > 	http://www.bugtraq.org/threatcon.html
> >
> >
> >
> > Recommendation:
> >
> > Disable the GPG plugin to Squirrelmail until a patch can be provided.
> >
> >
> > Bugtraq Data Tracer:
> >
> > Requests to get on the early beta release list for BSS Data Tracer can
> > be sent to bugtraq@...traq.org. Please include a name, contact email,
> > phone number, address, and the hours in which you can be reached. A
> > sales executive will contact you shortly.
> >
> >
> > Common Vulnerabilities and Exposures (CVE) Information:
> >
> > The Common Vulnerabilities and Exposures (CVE) project has assigned
> > the following names to these issues.  These are candidates for
> > inclusion in the CVE list (http://cve.mitre.org), which standardizes
> > names for security problems.
> >
> > 	CAN-2003-0990 - Squirrelmail input validation flaw
> >
> >
> > Bugtraq Security Systems Vulnerability Reporting Policy:
> > 	http://www.bugtraq.org/research/policy/
> >
> > Bugtraq Security Systems Advisory Archive:
> > 	http://www.bugtraq.org/advisories.html
> >
> > Bugtraq Security Systems PGP Key:
> > 	http://www.bugtraq.org/pgp_key.asc
> >
> >
> > Bugtraq Security Systems is currently seeking application security
> > experts to fill several consulting positions.  Applicants should have
> > strong application development skills and be able to perform
> > application security design reviews, code reviews, and application
> > penetration testing.  Please send resumes to jobs@...traq.org
> >
> > Copyright 2003 Bugtraq Security Systems. All rights reserved.
> >
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> >
> > iD8DBQE/6evTd3IqHnpF3voRAtihAJ4kghGpu1jpsje9uSEA9Rr+mG7RnQCfZesd
> > eYvxW+uzHDF7MP5GKO1b3RI=
> > =wEzP
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ