[UNIX] vpopmail CGIApps Arbitrary Command Execution (vadddomain, vpasswd)

From: support@securiteam.com
Date: 10/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 25 Oct 2002 14:56:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  vpopmail CGIApps Arbitrary Command Execution (vadddomain, vpasswd)
------------------------------------------------------------------------

SUMMARY

<A HREF="http://diario.buscadoc.org/index.php?topic=Programas
">vpopmail-CGIApps is a qmail-vpopmail domain administrator and vpopmail
password changer CGI application written in Python. By providing a special
crafted data in the domain form field (typing ";" in there), the script
executes os.system() function, adds the domains and then executes the
command after the ";".

DETAILS

Impact:
An attacker can execute arbitrary code as the setuid user of the script
(normally vpopmail), giving him the possibility to add/modify and delete
accounts/domains from the database, add and edit system files, etc.

This can lead to complete e-mail server compromise.

Exploit:
vadddomain:
In "domini" field, put: "; echo 'test' > /tmp/vpoptest" When you send the
form, a new file in /tmp will be created.

vpasswd:
Put a valid username/password in the first part of the form. Then, in "new
password" field, put: "; echo 'test' > /tmp/vpoptest". Repeat that string
on the confirm password field. When you send the form a new file in /tmp
will be created.

Temporary workaround:
Before the os.system() method is called:

string.replace(domini, ";", "") or string.replace(direc, ";", "")
(Depending on the application, vadddomain or vpasswd, respecitively)
string.replace(passx, ";", "")
os.system('/usr/bin/sudo -u root /home/vpopmail/bin/vpasswd' +" "+ direc +
" "+ passx)

(NOTE: This is insufficient to address other issues present in this
product).

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://www.centaura.com.ar/infosec/adv/vpopmailCGIappsdomain.txt>
http://www.centaura.com.ar/infosec/adv/vpopmailCGIappsdomain.txt
 <http://www.centaura.com.ar/infosec/adv/vpopmailCGIapps.txt>
http://www.centaura.com.ar/infosec/adv/vpopmailCGIapps.txt

The information has been provided by <mailto:n.bugtraq@icana.org.ar>
Ignacio Vazquez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.