Centaura Technologies Security Research Lab Advisory Product Name: vpopmail-CGIApps Systems: Linux/OpenBSD/FreeBSD/NetBSD Severity: High Risk Remote: Yes Category: Insuficient input checking Vendor URL: http://diario.buscadoc.org/index.php?topic=Programas Advisory Author: Ignacio Vazquez Advisory URL: http://www.centaura.com.ar/infosec/adv/vpopmailCGIapps.txt Date: 14 October 2002 Advisory Code: CTADVIIC043 .:Introduction vpopmail-CGIApps is a vpopmail password changer CGI application written in Python. .: Impact An attacker can execute arbitrary code as the setuid user of the script (normally vpopmail), giving him the posibility to add/modify and delete accounts/domains from the database. This can lead to complete e-mail server compromise. .: Description By providing a special crafted data in the password field (typing ; in there), the script executes os.system() function, changes the password and then executes the command after the ; .: Exploit. Put a valid username/password in the first part of the form. Then, in "new password" field, put: "; echo 'test' > /tmp/vpoptest" Repeat that string on the confirm password field. When you send the form a new file in /tmp will be created. .: Workaround Before the os.system() method is called: string.replace(direc, ";", "") string.replace(passx, ";", "") os.system('/home/vpopmail/bin/vpasswd' +" "+ direc + " "+ passx) .: Official Fix Information The vendor has released version 0.3 in response of this advisory. ----- Ignacio Vazquez <ivazquezat_private> Director of Technology - Security Labs Manager Centaura Technologies http://www.centaura.com.ar
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 16:19:47 PDT