Centaura Technologies Security Research Lab Advisory Product Name: vpopmail-CGIApps Systems: Linux/OpenBSD/FreeBSD/NetBSD Severity: High Risk Remote: Yes Category: Insuficient input checking Vendor URL: http://diario.buscadoc.org/index.php?topic=Programas Advisory Author: Ignacio Vazquez Advisory URL: http://www.centaura.com.ar/infosec/adv/vpopmailCGIappsdomain.txt Date: 14 October 2002 Advisory Code: CTADVIIC044 .:Introduction vpopmail-CGIApps is a qmail-vpopmail domain administrator written in Python. .: Impact An attacker can execute arbitrary code as the setuid user of the script (normally vpopmail), giving him the posibility to add/modify and delete accounts/domains from the database, add and edit system files, etc. This can lead to complete e-mail server compromise. .: Description By providing a special crafted data in the domain form field (typing ; in there), the script executes os.system() function, adds the domains and then executes the command after the ; .: Exploit. In "domini" field, put: "; echo 'test' > /tmp/vpoptest" When you send the form, a new file in /tmp will be created. .: Workaround Before the os.system() method is called: string.replace(domini, ";", "") string.replace(passx, ";", "") os.system('/usr/bin/sudo -u root /home/vpopmail/bin/vpasswd' +" "+ direc + " "+ passx) .: Official Fix Information The vendor has released version 0.3 in response of this advisory ----- Ignacio Vazquez <ivazquezat_private> Director of Technology Security Labs Manager Centaura Technologies http://www.centaura.com.ar
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 17:07:28 PDT