Re: Reported Command Injection in Squirrelmail GPG

From: Brian G. Peterson (brian_at_braverock.com)
Date: 12/26/03

  • Next message: Paul Farrow: "[Full-Disclosure] FWD: Use this patch immediately ! Lacking credibility"
    Date: Fri, 26 Dec 2003 11:41:18 -0600 (CST)
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    
    

    Bugtraq Security Systems released an advisory on Dec 24th to the Full
    Disclosure email list about a possible Command Injection Issue in the GPG
    subsystem of Squirrelmail. Please note that Bugtraq Security Systems Inc
    has no affiliation with the well-regarded official Bugtraq list at
    securityfocus.com.

    Original full text of the advisory here:
    http://www.bugtraq.org/advisories/_BSSADV-0001.txt
    "Command Injection Issue in Squirrelmail"
    and here:
    http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3777.html
    "Bugtraq Security Systems XMAS Advisory 0001"

    Secundia also copied it here:
    http://www.secunia.com/advisories/10493/
    "Squirrelmail Address Parsing Execution of Arbitrary Commands"

    There are many problems with this 'advisory'. We'll deal with the
    technical details first, and then move on to the rest of it.

    Summary:
    The authors of the original 'advisory' claim arbitrary code execution with
    the currently released version of Squirrelmail and the GPG Plugin. This
    is false. They also claim arbitrary code execution with current CVS
    version of the Squirrelmail and GPG code. This is also false. They
    further claim to have attempted to contact the Squirrelmail 'product team'
    'several times' before releasing their vulnerability report. This is also
    false. No attempt was made to contact any member of the GPG Plugin
    team, nor was any contact made with members of the core Squirrelmail
    development team or any of the Squirrelmail development lists.

    Despite these inaccuracies and the carefully timed release of a faulty
    'advisory' during the Christmas holiday, we looked into it immediately.

    Details:
    > Adding a ";command;" to the To: line of a newly created e-mail and
    > then clicking "encrypt now" will execute the command as the Apache
    > user on recent versions of Squirrelmail, including the current CVS
    > version. Example:
    >
    > To: ;echo "YO, dudes. Static analysis ain't rocket science." >>
    > /tmp/message;
    > <click encrypt now to execute!>

    Upon digging further, we have discovered that the code for the reported
    exploit existed within Squirrelmail itself, previous to version 1.4.2
    during the address parsing.

    This is within the rfc822Header object, using the parseAddress function.
    The parseAddress code in Squirrelmail 1.4.0 does not properly completely
    remove the command noted in the 'advisory' and previous comments.
    However, even Squirrelmail 1.4.0 does munge the attack enough to not
    exactly function the way the 'advisory' claims.

    It is possible that an exploit similar to the one reported in the
    'advisory' could potentially be exploitable with GPG Plugin v 1.1 and SM v
    1.4.0.

    As of Squirrelmail 1.4.2 this attack is completely unsuccessful.

    Squirrelmail 1.4.2 was released on Oct 01, 2003.

    Since squirrelmail 1.4.2 contains other security updates, and has been
    released for some time, it is HIGHLY recommended that administrators
    upgrade immediately anyway.

    We plan to investigate this issue more thoroughly in the next day or two,
    and potentially update the Squirrelmail parseAddress function to even more
    robustly handle potentially malicious code.

    Updates as we continue to work towards further securing the GPG Plugin and
    the Squirrelmail parseAddress function will be posted on the GPG Plugin
    Bugzilla at:

    http://www.braverock.com/bugzilla/show_bug.cgi?id=139

    > This particular example is within the GPG subsystem of
    > Squirrelmail, often installed by security "experts"
    > who in actuality have the information security knowledge of
    > cat food.

    The GPG Plugin for Squirrelmail is not intended for 'security experts'.
    The GPG Plugin is a convenience feature only for the 'average' web mail
    user. It does not claim to be a super high security method of encrypting
    email. It is better than sending postcards across the network. The
    documentation and online help for the GPG Plugin explicitly warn users
    against storing their primary private keys (if they have them) on an
    untrusted or unsecured webmail server. The GPG Plugin for Squirrelmail is
    not intended to replace or remove the need for stand-alone, off-line key
    management and basic key security for mission critical keys.

    > The pictures located at http://www.bugtraq.org/images/demo1.png and
    > http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
    > Security Systems software analysis platform. This product, BSS Data
    > Tracer, allows a software security analysis team to perform automated
    > checks against many common types of vulnerabilities in both binary and
    > source code targets.
    >
    > As the screen shots referenced above show, this product can save
    > thousands of hours of testing and analysis, providing a significant
    > return on investment for software development groups. It uses
    > "tainting" technology which applies data-flow analysis rules to
    > variables within the program. If a "tainted" variable reaches a
    > vulnerable API call, such as exec, system, or strcpy, then that place
    > is marked. A report is then generated for the perusal of security
    > staff. It should be noted that Bugtraq Security Systems Data Tracer is
    > a "static analysis" tool, and does not require the program to be
    > installed or run.

    We do not appreciate your grand-standing for product placement.

    Please get your facts straight.

    > Bugtraq Security have attempted to contact the vendor multiple times
    > since the discovery of these vulnerabilities without success. In
    > addition, after contacting Weld Pond and Pieter Mudge Zatko

    My email and the email of the GPG Plugin team are clearly indicated in the
    GPG Plugin README, and on the Squirrelmail web site. No one attempted to
    contact me or any member of the GPG Plugin team on this issue.

    Further, no attempt was made by 'Bugtraq Security Inc' to contact any of
    the official Squirrelmail lists. Communication with the Squirrelmail
    development team leads confirms that none of them were contacted either.

    Other individuals that the 'advisory' claims were contacted have also
    responded that they were not contacted about this release.

    So, to summarize the technical issues, the vulnerability reported in the
    'advisory' is not completely valid at all, but could potentially be
    exploitable with GPG Plugin v 1.1 and SM v 1.4.0. Please note that these
    are old versions of both the Squirrelmail code and the GPG Plugin. The
    claim in the 'advisory' that a vulnerability exists: 'on recent versions
    of Squirrelmail, including the current CVS version.' is just plain false.

    To the members of the "Bugtraq Research Team": The members of the GPG
    Plugin and Squirrelmail development teams feel that it is a bad policy to
    release 'advisories' with so many inaccuracies and outright lies. Please
    refrain from doing so in the future.

    Regards,

        - Brian Peterson
          GPG Plugin Team Lead
          Squirrelmail Core Development Team Member

    SquirrelMail is a popular standards-based webmail package written in PHP4.
    It includes built-in pure PHP support for the IMAP and SMTP protocols.

    It is available at:
    http://www.squirrelmail.org/

    The GPG Plugin for Squirrelmail adds most commonly used GPG encryption and
    decryption functions to Squirrelmail for the convenience of Squirrelmail
    users. It is available on the Squirrlemail website and from the GPG
    Plugin development site at:
    http://www.braverock.com/gpg/


  • Next message: Paul Farrow: "[Full-Disclosure] FWD: Use this patch immediately ! Lacking credibility"