<<< Date Index >>>     <<< Thread Index >>>

Re: Reported Command Injection in Squirrelmail GPG



Bugtraq Security Systems released an advisory on Dec 24th to the Full
Disclosure email list about a possible Command Injection Issue in the GPG
subsystem of Squirrelmail.  Please note that Bugtraq Security Systems Inc
has no affiliation with the well-regarded official Bugtraq list at
securityfocus.com.

Original full text of the advisory here:
http://www.bugtraq.org/advisories/_BSSADV-0001.txt
"Command Injection Issue in Squirrelmail"
and here:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3777.html
"Bugtraq Security Systems XMAS Advisory 0001"

Secundia also copied it here:
http://www.secunia.com/advisories/10493/
"Squirrelmail Address Parsing Execution of Arbitrary Commands"

There are many problems with this 'advisory'.  We'll deal with the
technical details first, and then move on to the rest of it.

Summary:
The authors of the original 'advisory' claim arbitrary code execution with
the currently released version of Squirrelmail and the GPG Plugin.  This
is false.  They also claim arbitrary code execution with current CVS
version of the Squirrelmail and GPG code.  This is also false.  They
further claim to have attempted to contact the Squirrelmail 'product team'
'several times' before releasing their vulnerability report.  This is also
false.  No attempt was made to contact any member of the GPG Plugin
team, nor was any contact made with members of the core Squirrelmail
development team or any of the Squirrelmail development lists.

Despite these inaccuracies and the carefully timed release of a faulty
'advisory' during the Christmas holiday, we looked into it immediately.

Details:
> Adding a ";command;" to the To: line of a newly created e-mail and
> then clicking "encrypt now" will execute the command as the Apache
> user on recent versions of Squirrelmail, including the current CVS
> version. Example:
>
> To: ;echo "YO, dudes. Static analysis ain't rocket science." >>
> /tmp/message;
> <click encrypt now to execute!>

Upon digging further, we have discovered that the code for the reported
exploit existed within Squirrelmail itself, previous to version 1.4.2
during the address parsing.

This is within the rfc822Header object, using the parseAddress function.
The parseAddress code in Squirrelmail 1.4.0 does not properly completely
remove the command noted in the 'advisory' and previous comments. 
However, even Squirrelmail 1.4.0 does munge the attack enough to not
exactly function the way the 'advisory' claims.

It is possible that an exploit similar to the one reported in the
'advisory' could potentially be exploitable with GPG Plugin v 1.1 and SM v
1.4.0.

As of Squirrelmail 1.4.2 this attack is completely unsuccessful.

Squirrelmail 1.4.2 was released on Oct 01, 2003.

Since squirrelmail 1.4.2 contains other security updates, and has been
released for some time, it is HIGHLY recommended that administrators
upgrade immediately anyway.

We plan to investigate this issue more thoroughly in the next day or two,
and potentially update the Squirrelmail parseAddress function to even more
robustly handle potentially malicious code.

Updates as we continue to work towards further securing the GPG Plugin and
the Squirrelmail parseAddress function will be posted on the GPG Plugin
Bugzilla at:

http://www.braverock.com/bugzilla/show_bug.cgi?id=139

> This particular example is within the GPG subsystem of
> Squirrelmail, often installed by security "experts"
> who in actuality have the information security knowledge of
> cat food.

The GPG Plugin for Squirrelmail is not intended for 'security experts'. 
The GPG Plugin is a convenience feature only for the 'average' web mail
user.  It does not claim to be a super high security method of encrypting
email.  It is better than sending postcards across the network. The
documentation and online help for the GPG Plugin explicitly warn users
against storing their primary private keys (if they have them) on an
untrusted or unsecured webmail server.  The GPG Plugin for Squirrelmail is
not intended to replace or remove the need for stand-alone, off-line key
management and basic key security for mission critical keys.

> The pictures located at http://www.bugtraq.org/images/demo1.png and
> http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
> Security Systems software analysis platform. This product, BSS Data
> Tracer, allows a software security analysis team to perform automated
> checks against many common types of vulnerabilities in both binary and
> source code targets.
>
> As the screen shots referenced above show, this product can save
> thousands of hours of testing and analysis, providing a significant
> return on investment for software development groups. It uses
> "tainting" technology which applies data-flow analysis rules to
> variables within the program. If a "tainted" variable reaches a
> vulnerable API call, such as exec, system, or strcpy, then that place
> is marked. A report is then generated for the perusal of security
> staff. It should be noted that Bugtraq Security Systems Data Tracer is
> a "static analysis" tool, and does not require the program to be
> installed or run.

We do not appreciate your grand-standing for product placement.

Please get your facts straight.

> Bugtraq Security have attempted to contact the vendor multiple times
> since the discovery of these vulnerabilities without success. In
> addition, after contacting Weld Pond and Pieter Mudge Zatko

My email and the email of the GPG Plugin team are clearly indicated in the
GPG Plugin README, and on the Squirrelmail web site.  No one attempted to
contact me or any member of the GPG Plugin team on this issue.

Further, no attempt was made by 'Bugtraq Security Inc' to contact any of
the official Squirrelmail lists.  Communication with the Squirrelmail
development team leads confirms that none of them were contacted either.

Other individuals that the 'advisory' claims were contacted have also
responded that they were not contacted about this release.

So, to summarize the technical issues, the vulnerability reported in the
'advisory' is not completely valid at all, but could potentially be
exploitable with GPG Plugin v 1.1 and SM v 1.4.0. Please note that these
are old versions of both the Squirrelmail code and the GPG Plugin. The
claim in the 'advisory' that a vulnerability exists: 'on recent versions
of Squirrelmail, including the current CVS version.' is just plain false.

To the members of the "Bugtraq Research Team": The members of the GPG
Plugin and Squirrelmail development teams feel that it is a bad policy to
release 'advisories' with so many inaccuracies and outright lies.  Please
refrain from doing so in the future.

Regards,

    - Brian Peterson
      GPG Plugin Team Lead
      Squirrelmail Core Development Team Member

SquirrelMail is a popular standards-based webmail package written in PHP4.
It includes built-in pure PHP support for the IMAP and SMTP protocols.

It is available at:
http://www.squirrelmail.org/

The GPG Plugin for Squirrelmail adds most commonly used GPG encryption and
decryption functions to Squirrelmail for the convenience of Squirrelmail
users.  It is available on the Squirrlemail website and from the GPG
Plugin development site at:
http://www.braverock.com/gpg/