-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bugtraq Security Systems, Incorporated
www.bugtraq.org
Security Advisory
Advisory Name: Command Injection Issue in Squirrelmail
Release Date: 12/24/2003
Application: Squirrelmail
Platform: Linux (IA32)
Linux (sparc)
Linux (sparc64)
Linux (hppa)
Linux (ppc)
Linux (xbox)
Linux (IA64)
SUN Solaris (IA32)
SUN Solaris (sparc)
SUN Solaris (sparc64)
OpenBSD (386)
FreeBSD (386)
SCO OpenServer (All versions)
HPUX (hppa)
HPUX (IA64)
QNX
Compaq True64
Microsoft Windows NT (Alpha)
Microsoft Windows NT (IA32)
Severity: Flaw in input validation allows execution
of arbitrary commands as the Apache user.
Author: The Bugtraq Team, Collectively [bugtraq@bugtraq.org]
Vendor Status: Patches pending.
CVE Candidate: CAN-2003-0990 - Squirrelmail input validation flaw
Reference: www.bugtraq.org/advisories/bssadv0002.txt
Overview:
.-. MERRY X-MAS .~~~.
.;;;;. ( ^_> / whitehat. (\__/) .' )
<;<; \;>\ ! \ /o o \/ .~
<;<; '-.>) \ {o_, \ {
<;<; <'=. | / , , ) \
<;<; '- / `~ '-' \ }
<;,\.\--'` _( ( )_.'
`==`== '---..{____}
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required)
for maximum compatibility across browsers. It has very few
requirements and is very easy to configure and install. SquirrelMail
has all the functionality you would want from an email client,
including strong MIME support, address books, and folder manipulation.
It should also be noted that the internet security rock-star Mudge,
along with several other famed w00w00 members, uses Squirrelmail. We
at Bugtraq Security Systems would expect more proactive auditing of
basic infrastructure used by famed black-hat[1] hackers such as Mudge,
or Weld Pond a.k.a. "Chris Wysopal".
Once the vulnerability has been exploited, access to the affected
machine as the Apache user is gained. This allows an attacker to
co-opt the web site, and the Squirrelmail instance. For example, it is
easy to sniff e-mail and obtain usernames and passwords for
Squirrelmail users, which are identical to their login usernames and
passwords, in most cases.
[1] Out of curiosity, if you break the law, for example, by speeding
in your car, or by taking illegal drugs, but have not yet been caught
at actually hacking into a computer, do you consider yourself to be a
black-hat or a white-hat? Does the color of your hat apply just to
your behavior at a keyboard, or does your behavior in real life also
relate? At what point do you lose your ability to label others as
responsible or not? We at Bugtraq Security Systems find these
rhetorical questions funny. We also find it gut-bustingly hilarious
when drug addicts become volcanos of hypocrisy, spouting off at every
new "blackhat" antic that comes to light. You don't see "Blackhats
Against Crystal Meth" lobbying congress, do you?
Details:
The pictures located at http://www.bugtraq.org/images/demo1.png and
http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
Security Systems software analysis platform. This product, BSS Data
Tracer, allows a software security analysis team to perform automated
checks against many common types of vulnerabilities in both binary and
source code targets.
As the screen shots referenced above show, this product can save
thousands of hours of testing and analysis, providing a significant
return on investment for software development groups. It uses
"tainting" technology which applies data-flow analysis rules to
variables within the program. If a "tainted" variable reaches a
vulnerable API call, such as exec, system, or strcpy, then that place
is marked. A report is then generated for the perusal of security
staff. It should be noted that Bugtraq Security Systems Data Tracer is
a "static analysis" tool, and does not require the program to be
installed or run.
Bugtraq Security Systems has run the beta version of Data Tracer
against many WebMail systems. Most have vulnerabilities similar to the
one recorded in the images above. This particular example is within
the GPG subsystem of Squirrelmail, often installed by security
"experts" who in actuality have the information security knowledge of
cat food.
Adding a ";command;" to the To: line of a newly created e-mail and
then clicking "encrypt now" will execute the command as the Apache
user on recent versions of Squirrelmail, including the current CVS
version. Example:
To: ;echo "YO, dudes. Static analysis ain't rocket science." >> /tmp/message;
<click encrypt now to execute!>
Vendor Response:
Bugtraq Security have attempted to contact the vendor multiple times
since the discovery of these vulnerabilities without success. In
addition, after contacting Weld Pond and Pieter Mudge Zatko directly
via #w00w00 about their vulnerability to this issue, we were rebuffed
for not taking Microsoft-approved measures and first releasing a
press-release regarding our discoveries so we could profit from them,
l0pht-style, and worm our way into Congressional meetings on unrelated
topics where we could brag unnecessarally about our ability to shut
down the Internet, when in fact, we[2] often have problems shutting
down our Windows 2003 partition on our laptops due to the many kernel
trojans competing for time on them.
[2] Weld and Mudge, obviously. Bugtraq Security Systems uses only
QNX. We're realtime like that.
ThreatCon:
The release of this information and the potential for worms based on
proof-of-concept exploits increases the Global ThreatCon Level to an
index of 8/13 (more dangerous than normal) level. We hope that
Squirrelmail and #w00w00 members Mudge, Weld Pond and Jonathan Wilkins
will address these issues in important global internet security
infrastructure as soon as possible. Remember, it's not responsible
disclosure to paste their passwords and mail spools into random efnet
channels. Bugtraq Security Systems also does not approve of replacing
tarballs on random open-source code repositories with your findings.
If you have any questions regarding the Global ThreatCon, please visit
http://www.bugtraq.org/threatcon.html
Recommendation:
Disable the GPG plugin to Squirrelmail until a patch can be provided.
Bugtraq Data Tracer:
Requests to get on the early beta release list for BSS Data Tracer can
be sent to bugtraq@bugtraq.org. Please include a name, contact email,
phone number, address, and the hours in which you can be reached. A
sales executive will contact you shortly.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0990 - Squirrelmail input validation flaw
Bugtraq Security Systems Vulnerability Reporting Policy:
http://www.bugtraq.org/research/policy/
Bugtraq Security Systems Advisory Archive:
http://www.bugtraq.org/advisories.html
Bugtraq Security Systems PGP Key:
http://www.bugtraq.org/pgp_key.asc
Bugtraq Security Systems is currently seeking application security
experts to fill several consulting positions. Applicants should have
strong application development skills and be able to perform
application security design reviews, code reviews, and application
penetration testing. Please send resumes to jobs@bugtraq.org
Copyright 2003 Bugtraq Security Systems. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/6evTd3IqHnpF3voRAtihAJ4kghGpu1jpsje9uSEA9Rr+mG7RnQCfZesd
eYvxW+uzHDF7MP5GKO1b3RI=
=wEzP
-----END PGP SIGNATURE-----
