In-Reply-To: <200404170420.32857.matias@neiff.com.ar> Hi, Did u drink to much when writing this `advisory'? No seriously, you even made a typo in the title of your thread! did you inform the people at Squirrelmail about this? I located the exact vuln in chpasspwd.c: ---- char User[STR_MAX]; char New_pw[50]; char Old_pw[50]; .. sprintf(User,"%s",argv[1]); sprintf(Old_pw,"%s",argv[2]); sprintf(New_pw,"%s",argv[3]); --- STR_MAX has a value of 100. So as you probably already have seen there occurs a stack based overflow when user, old_pw or new_pw is filled with to much bytes (which come from argv[], commandline). In your `exploitation example' you used local rights to exploits this. However, I think it's also possible to exploit without shell access, using the squirrelmail webinterface itself. I'm at work right now, but when I'm home I'll be looking into creating a PoC exploit for this one. Best regards, Peter "blasty" Geissler P.S. The version of the chpasswd plugin found on the squirrelmail/SF page is still vulnerable to this bug, so I doubt you informed the people at squirrelmail.. >Received: (qmail 32672 invoked from network); 17 Apr 2004 18:56:45 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 17 Apr 2004 18:56:45 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 5F4D9145D46; Sat, 17 Apr 2004 20:47:01 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 9581 invoked from network); 17 Apr 2004 01:13:14 -0000 >From: Matias Neiff <matias@neiff.com.ar> >To: bugtraq@securityfocus.com >Subject: Squirrelmail Chpasswod bof >Date: Sat, 17 Apr 2004 04:20:26 -0300 >User-Agent: KMail/1.5.4 >Organization: Pulso >MIME-Version: 1.0 >Content-Type: Text/Plain; > charset="us-ascii" >Content-Transfer-Encoding: quoted-printable >Content-Description: clearsigned data >Content-Disposition: inline >Message-Id: <200404170420.32857.matias@neiff.com.ar> > >Hi all > >There is a boffer over flow in the chpasswd binary, distributed with the=20 >plugin. This allow to local's user to execute commands as a root. >=2D--:::Prott:::--- >root@orco:/mnt/hosting/hack/bof# su webmaster >webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999 >Using address: 0xbfffe325 >bash-2.05b$ ./chpasswd $RET asdf asdf >The new password is equal to old password. Choose another password. >sh-2.05b# id >uid=3D0(root) gid=3D3(sys) groups=3D500(webmaster) >sh-2.05b# >=2D--:::end:::--- > >Bye all > >
