<<< Date Index >>>     <<< Thread Index >>>

Horde Webmail file inclusion proof of concept & patch.



Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept & patch.

A severe security vulnerability affects any unix distribution running version 
3.1.6 of the Horde webmail client included in most popular webhosting control 
panels. All previous versions are also affected and it is believed although not 
yet proven that Horde Groupware is also vulnerable.

Details are as follows:

David Collins and Patrick Pelanne along with the rest of the HostGator.com LLC 
support team discovered that Horde was not properly sanitizing POST variables 
for several options including it's themes. By maliciously modifying POST data 
sent to the client the attacker can modify the location of the theme variable 
and Horde will subsequently insert this information into it's database. By 
modifying this POST variable one can allow for directory traversal and file 
inclusion which can lead to full root privilege escalation.

Proof of concept:

Data injected through malicious tampering of POST data:

mysql> select * from horde_prefs where pref_uid='bbarker@xxxxxxxxxxxxx' and  
pref_name='theme';
+-------------------------+------------+-----------+----------------------------------------------------------------------------------------------------------------------------+
| pref_uid                | pref_scope | pref_name | pref_value                 
                                                                                
                |
+-------------------------+------------+-----------+----------------------------------------------------------------------------------------------------------------------------+
| bbarker@xxxxxxxxxxxxx | horde      | theme     | 
../../../../../../../../../../../../../../../../../../tmp/.horde/imp/attachments/bbarker@xxxxxxxxxxxxx/1204804402/t.txt
  | 

Shown above, the malicious POST variable was inserted into the database and now 
points to the malicious code denoted by t.txt

A truncated strace shows the access and execution of the malicious code when 
the user enters the Horde webmail client:

31852 lstat64("/usr", {st_dev=makedev(3, 3), st_ino=2, st_mode=S_IFDIR|0755, 
st_nlink=18, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=16, st_size=4096, s$
31852 lstat64("/usr/local", {st_dev=makedev(3, 3), st_ino=608001, 
st_mode=S_IFDIR|0755, st_nlink=26, st_uid=0, st_gid=0, st_blksize=4096, 
st_blocks=16, st_s$
31852 lstat64("/usr/local/cpanel", {st_dev=makedev(3, 3), st_ino=18539, 
st_mode=S_IFDIR|0711, st_nlink=37, st_uid=0, st_gid=10, st_blksize=4096, 
st_blocks=8$
31852 lstat64("/usr/local/cpanel/base", {st_dev=makedev(3, 3), st_ino=85078, 
st_mode=S_IFDIR|0755, st_nlink=21, st_uid=0, st_gid=0, st_blksize=4096, st_bloc$
31852 lstat64("/usr/local/cpanel/base/horde", {st_dev=makedev(3, 3), 
st_ino=85388, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=32002, st_gid=32004, 
st_blksize$
31852 lstat64("/usr/local/cpanel/base/horde/config", {st_dev=makedev(3, 3), 
st_ino=115868, st_mode=S_IFDIR|0755, st_nlink=2, st_uid=32002, st_gid=32004, 
st_$
31852 lstat64("/usr/local/cpanel/base/horde/themes", {st_dev=makedev(3, 3), 
st_ino=86796, st_mode=S_IFDIR|0755, st_nlink=28, st_uid=32002, st_gid=32004, 
st_$
31852 lstat64("/tmp", {st_dev=makedev(7, 1), st_ino=2, 
st_mode=S_IFDIR|S_ISVTX|0777, st_nlink=9, st_uid=0, st_gid=0, st_blksize=4096, 
st_blocks=64, st_size=$
31852 lstat64("/tmp/.horde", {st_dev=makedev(7, 1), st_ino=38609, 
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004, st_blksize=4096, 
st_blocks=2$
31852 lstat64("/tmp/.horde/imp", {st_dev=makedev(7, 1), st_ino=38610, 
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004, st_blksize=4096, 
st_bloc$
31852 lstat64("/tmp/.horde/imp/attachments", {st_dev=makedev(7, 1), 
st_ino=38611, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004, 
st_blksize=4$
31852 lstat64("/tmp/.horde/imp/attachments/patrick@xxxxxxxxxxxxx", 
{st_dev=makedev(7, 1), st_ino=38612, st_mode=S_IFDIR|0700, st_nlink=3, 
st_uid=32002, st$
31852 lstat64("/tmp/.horde/imp/attachments/patrick@xxxxxxxxxxxxx/1204804402", 
{st_dev=makedev(7, 1), st_ino=38613, st_mode=S_IFDIR|0700, st_nlink=2, st_ui$
31852 
lstat64("/tmp/.horde/imp/attachments/patrick@xxxxxxxxxxxxx/1204804402/t.txt", 
{st_dev=makedev(7, 1), st_ino=38614, st_mode=S_IFREG|0600, st_nlink=1,$
31852 
open("/tmp/.horde/imp/attachments/patrick@xxxxxxxxxxxxx/1204804402/t.txt", 
O_RDONLY) = 4

We have also included a patch below for this vulnerability tested on Horde 
v2.105.4.8 2006/07/29 16:49:19


--- horde/lib/Horde/Prefs.php   2008-03-06 21:14:38.000000000 -0600
+++ horde/lib/Horde/Prefs.patched       2008-03-06 20:10:56.000000000 -0600
@@ -325,12 +325,23 @@
         }

         return (isset($this->_prefs[$pref]['v'])) ?
-            ($convert ?
+            $this->_fixhole($pref,$convert ?
              $this->convertFromDriver($this->_prefs[$pref]['v'], $charset) :
              $this->_prefs[$pref]['v']) :
             null;
     }

+function _fixhole($pref,$value) {
+      $sanitize = '/^[a-z0-9._-]+$/i';
+      if (preg_match($sanitize, $value) && $pref == 'theme') {
+              return $value;
+      } elseif ($pref == 'theme') {
+                return "mozilla";
+      } else {
+                return $value;
+      }
+}
+
     function __get($name)
     {
         return $this->getValue($name);


-- Begin Signature --
HostGator.com is looking for qualified systems administrators. Please send an 
e-mail to jobs@xxxxxxxxxxxxx with your resume!