Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb5892.htm

Openwebmail remote root compromise



20th Dec 2002 [SBWID-5892]
COMMAND

	Openwebmail remote root compromise

SYSTEMS AFFECTED

	Openwebmail 1.71

PROBLEM

	Dmitry Guyvoronsky [demiurg@altaee.com] says :
	
	Remote exploitation of several errors  within  the  Openwebmail  scripts
	could allow a remote attacker to execute  arbitrary  commands  with  the
	superuser permissions. Although this requires attacker  to  be  able  to
	put 2 files on target system (i.e. via ftp or  if  he  has  local  shell
	access), this is a  very  serious  vulnerability  and  should  be  taken
	seriously.
	
	Let's inspect the sources:
	
	- --- openwebmail-abook.pl
	#!/usr/bin/suidperl -T
	...
	require "openwebmail-shared.pl";
	...
	openwebmail_init();
	...
	- ---
	
	- --- openwebmail-shared.pl
	...
	sub openwebmail_init {
	...
	   $thissession = param("sessionid");   # (0)
	...
	   $loginname =~ s/\-session\-0.*$//;  # (1)
	
	   my $siteconf;
	   if ($loginname=~/\@(.+)$/) {
	       $siteconf="$config{'ow_etcdir'}/sites.conf/$1";   # (2)
	   } else {
	       my $httphost=$ENV{'HTTP_HOST'}; $httphost=~s/:\d+$//;
	       $siteconf="$config{'ow_etcdir'}/sites.conf/$httphost";
	   }
	   readconf(\%config, \%config_raw, "$siteconf") if ( -f "$siteconf"); # (3)
	...
	   require $config{'auth_module'}; # (4)
	- ---
	
	
	(0) Attacker can pass anything here:
	
	 http://site.url/cgi-bin/openwebmail-abook.pl?sessionid=@[PATH]-session-0
	
	(1) $loginname now holds [PATH]
	    (i.e. "../../../../../home/ftp/incoming/attacker.conf" )
	
	(2) $siteconf holds path to custom config file on the server. Attacker
	    can upload config file via anonymous ftp (is any), or just put it
	    somewhere (if he has local access)
	
	(3) readconfig() treats $siteconf as a plaintext file  every  string  of
	which has
	    format:
	
	- --
	var_name variable_value
	- --
	
	     In our case, <attacker.conf> should contain line
	
	- --
	auth_module     /home/ftp/incoming/exploit.pl
	- --
	
	(4) <exploit.pl> is executed with superuser permissions (!!!)

SOLUTION

	Vendor of the OpenWebMail system had  released  patch  and  upgraded  `current`
	sources.
	
	More information can be found at:
	
	 http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435
	 Patches: http://openwebmail.org/openwebmail/download/cert/patches/SA-02:01/
	 Current: http://openwebmail.org/openwebmail/download/openwebmail-current.tgz
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH