[UNIX] Vulnerabilities in PGPMail.pl Lead to Remote Code Execution
From: support@securiteam.comDate: 12/13/01
- Previous message: support@securiteam.com: "[UNIX] Hardlink Vulnerability in 'script' Command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 13 Dec 2001 20:33:01 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Vulnerabilities in PGPMail.pl Lead to Remote Code Execution
------------------------------------------------------------------------
SUMMARY
<ftp://ftp.venturablvd.com/pub/pgpmail/> PGPMail.pl is a PERL script that
extends Matt Wright's FormMail v1.5 to encrypt HTML form data using PGP.
Two vulnerabilities exist that allow a remote attacker to execute
arbitrary commands on the web server it is installed on.
DETAILS
Vulnerable systems:
PGPMail.pl version 1.31
The script passes user-supplied data directly to a shell:
line 373:
open (MAIL, "|$mailprog $CONFIG{'recipient'}") ||
die "Can't open $mailprog!\n";
line 383:
$ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0
\"$CONFIG{'pgpuserid'}\" > $pgptmp");
Either the hash table, 'CONFIG', is built from the QUERY_STRING or the
standard input, depending on the method the input data was submitted to
the script. None of the input is filtered. It should be noted that
although the script checks the HTTP_REFERER field against a list of
acceptable sources, these vulnerabilities are still exploitable by
trivially forging a valid referrer.
Solution:
Apply the following patch:
< open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open
$mailprog!\n";
< print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
- ---
> # Don't pass the recipient to the $mailprog on the command line.
> # Instead, use the '-t' feature. Fixed by Joe Testa
> # (joetesta@hushmail.com).
> open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
375a378
> print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
383c386,392
< $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0
\"$CONFIG{'pgpuserid'}\" > $pgptmp");
- ---
> # The PGP user id must be passed via command line, so make sure
> # that only legal characters are present. Fixed by Joe Testa
> # (joetesta@hushmail.com).
> $theUserID = $CONFIG{'pgpuserid'};
> $theUserID =~ /([a-zA-Z0-9]+)/;
> $theUserID = $1;
> $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$theUserID\"
>$pgptmp");
Vendor status:
The script's author, <mailto:pgpmail@venturablvd.com> William Malin, was
contacted on Friday, November 9, 2001. No reply was received.
ADDITIONAL INFORMATION
The information has been provided by <mailto:joetesta@hushmail.com> Joe
Testa, <mailto:twanger@bluetwanger.de> Markus Bertheau, and
<mailto:jscimone@cc.gatech.edu> John Scimone.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Hardlink Vulnerability in 'script' Command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
