-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Security Advisory 12.18.02 Software : Openwebmail (http://openwebmail.org) Version : ?.?? -> 1.71 (current) Type : Arbitrary commands execution Remote : yes Root : yes (!!!) Date : December 18, 2002 I. BACKGROUND Openwebmail is a web-bases email system. It contains several Perl CGI scripts run under superuser account (suidperl is used). II. DESCRIPTION Remote exploitation of several errors within the Openwebmail scripts could allow a remote attacker to execute arbitrary commands with the superuser permissions. Although this requires attacker to be able to put 2 files on target system (i.e. via ftp or if he has local shell access), this is a very serious vulnerability and should be taken seriously. Let's inspect the sources: - --- openwebmail-abook.pl #!/usr/bin/suidperl -T ... require "openwebmail-shared.pl"; ... openwebmail_init(); ... - --- - --- openwebmail-shared.pl ... sub openwebmail_init { ... $thissession = param("sessionid"); # (0) ... $loginname =~ s/\-session\-0.*$//; # (1) my $siteconf; if ($loginname=~/\@(.+)$/) { $siteconf="$config{'ow_etcdir'}/sites.conf/$1"; # (2) } else { my $httphost=$ENV{'HTTP_HOST'}; $httphost=~s/:\d+$//; $siteconf="$config{'ow_etcdir'}/sites.conf/$httphost"; } readconf(\%config, \%config_raw, "$siteconf") if ( -f "$siteconf"); # (3) ... require $config{'auth_module'}; # (4) - --- (0) Attacker can pass anything here: http://site.url/cgi-bin/openwebmail-abook.pl?sessionid=@[PATH]-session-0 (1) $loginname now holds [PATH] (i.e. "../../../../../home/ftp/incoming/attacker.conf" ) (2) $siteconf holds path to custom config file on the server. Attacker can upload config file via anonymous ftp (is any), or just put it somewhere (if he has local access) (3) readconfig() treats $siteconf as a plaintext file every string of which has format: - -- var_name variable_value - -- In our case, <attacker.conf> should contain line - -- auth_module /home/ftp/incoming/exploit.pl - -- (4) <exploit.pl> is executed with superuser permissions (!!!) III. DETECTION To detect whether or not you are running a vulnerable version of the openwebmail software or not, check the responses of cgi scripts. For example: - -------- [user@host][~]: lynx -dump http://site/cgi-bin/openwebmail/openwebmail.pl | grep -i "version" Open WebMail version 1.71 - -------- Vulnerable versions are ?.?? -> 1.71 IV. RECOMENDATIONS Temporary disable using of openwebmail until patch will be released by the vendor or fix openwebmail-shared.pl, changing - --- $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid - --- into - --- $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid $loginname =~ s/[\.\/\;\|\'\"\`\&]//g; - --- V. VENDOR FIX Software vendor was notified on 2002-12-18. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUAPgCwzZ50N4jT94ZbAQElSQP/eWwL1uhXtFy7DhxdHh6H7nDUQ84vJRKM Ay2a1O/kUWRe8M6AQWsf8tJp+VbxfwJxjhOdridMic2v29+7yehtKVu/vaPljTG4 mf2tPGLcE6FE/ptdUFlIVWKuo+bC92RDQnTDc//y1fm7GNXBT6LLBsNfXob2tw0R J2I07x1eYQg= =VRwu -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:28:13 PST