[VulnWatch] Bugtraq Security Systems ADV 0001

From: Bugtraq Security Systems (research_at_bugtraq.org)
Date: 12/24/03

  • Next message: Peter Winter-Smith: "[VulnWatch] NetObserve Security Bypass Vulnerability"
    Date: Wed, 24 Dec 2003 14:50:10 -0500 (EST)
    To: vulnwatch@vulnwatch.org

    Hash: SHA1

                    Bugtraq Security Systems, Incorporated

                               Security Advisory

    Advisory Name: Command Injection Issue in Squirrelmail
     Release Date: 12/24/2003
      Application: Squirrelmail
         Platform: Linux (IA32)
                   Linux (sparc)
                   Linux (sparc64)
                   Linux (hppa)
                   Linux (ppc)
                   Linux (xbox)
                   Linux (IA64)
                   SUN Solaris (IA32)
                   SUN Solaris (sparc)
                   SUN Solaris (sparc64)
                   OpenBSD (386)
                   FreeBSD (386)
                   SCO OpenServer (All versions)
                   HPUX (hppa)
                   HPUX (IA64)
                   Compaq True64
                   Microsoft Windows NT (Alpha)
                   Microsoft Windows NT (IA32)
         Severity: Flaw in input validation allows execution
                   of arbitrary commands as the Apache user.
           Author: The Bugtraq Team, Collectively [bugtraq@bugtraq.org]
    Vendor Status: Patches pending.
    CVE Candidate: CAN-2003-0990 - Squirrelmail input validation flaw
        Reference: www.bugtraq.org/advisories/bssadv0002.txt

              .-. MERRY X-MAS .~~~.
      .;;;;. ( ^_> / whitehat. (\__/) .' )
     <;<; \;>\ ! \ /o o \/ .~
    <;<; '-.>) \ {o_, \ {
    <;<; <'=. | / , , ) \
     <;<; '- / `~ '-' \ }
       <;,\.\--'` _( ( )_.'
          `==`== '---..{____}

    SquirrelMail is a standards-based webmail package written in PHP4. It
    includes built-in pure PHP support for the IMAP and SMTP protocols,
    and all pages render in pure HTML 4.0 (with no JavaScript required)
    for maximum compatibility across browsers. It has very few
    requirements and is very easy to configure and install. SquirrelMail
    has all the functionality you would want from an email client,
    including strong MIME support, address books, and folder manipulation.

    It should also be noted that the internet security rock-star Mudge,
    along with several other famed w00w00 members, uses Squirrelmail. We
    at Bugtraq Security Systems would expect more proactive auditing of
    basic infrastructure used by famed black-hat[1] hackers such as Mudge,
    or Weld Pond a.k.a. "Chris Wysopal".

    Once the vulnerability has been exploited, access to the affected
    machine as the Apache user is gained. This allows an attacker to
    co-opt the web site, and the Squirrelmail instance. For example, it is
    easy to sniff e-mail and obtain usernames and passwords for
    Squirrelmail users, which are identical to their login usernames and
    passwords, in most cases.

    [1] Out of curiosity, if you break the law, for example, by speeding
    in your car, or by taking illegal drugs, but have not yet been caught
    at actually hacking into a computer, do you consider yourself to be a
    black-hat or a white-hat? Does the color of your hat apply just to
    your behavior at a keyboard, or does your behavior in real life also
    relate? At what point do you lose your ability to label others as
    responsible or not? We at Bugtraq Security Systems find these
    rhetorical questions funny. We also find it gut-bustingly hilarious
    when drug addicts become volcanos of hypocrisy, spouting off at every
    new "blackhat" antic that comes to light. You don't see "Blackhats
    Against Crystal Meth" lobbying congress, do you?


    The pictures located at http://www.bugtraq.org/images/demo1.png and
    http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
    Security Systems software analysis platform. This product, BSS Data
    Tracer, allows a software security analysis team to perform automated
    checks against many common types of vulnerabilities in both binary and
    source code targets.

    As the screen shots referenced above show, this product can save
    thousands of hours of testing and analysis, providing a significant
    return on investment for software development groups. It uses
    "tainting" technology which applies data-flow analysis rules to
    variables within the program. If a "tainted" variable reaches a
    vulnerable API call, such as exec, system, or strcpy, then that place
    is marked. A report is then generated for the perusal of security
    staff. It should be noted that Bugtraq Security Systems Data Tracer is
    a "static analysis" tool, and does not require the program to be
    installed or run.

    Bugtraq Security Systems has run the beta version of Data Tracer
    against many WebMail systems. Most have vulnerabilities similar to the
    one recorded in the images above. This particular example is within
    the GPG subsystem of Squirrelmail, often installed by security
    "experts" who in actuality have the information security knowledge of
    cat food.

    Adding a ";command;" to the To: line of a newly created e-mail and
    then clicking "encrypt now" will execute the command as the Apache
    user on recent versions of Squirrelmail, including the current CVS
    version. Example:

    To: ;echo "YO, dudes. Static analysis ain't rocket science." >> /tmp/message;
    <click encrypt now to execute!>

    Vendor Response:

    Bugtraq Security have attempted to contact the vendor multiple times
    since the discovery of these vulnerabilities without success. In
    addition, after contacting Weld Pond and Pieter Mudge Zatko directly
    via #w00w00 about their vulnerability to this issue, we were rebuffed
    for not taking Microsoft-approved measures and first releasing a
    press-release regarding our discoveries so we could profit from them,
    l0pht-style, and worm our way into Congressional meetings on unrelated
    topics where we could brag unnecessarally about our ability to shut
    down the Internet, when in fact, we[2] often have problems shutting
    down our Windows 2003 partition on our laptops due to the many kernel
    trojans competing for time on them.

    [2] Weld and Mudge, obviously. Bugtraq Security Systems uses only
    QNX. We're realtime like that.


    The release of this information and the potential for worms based on
    proof-of-concept exploits increases the Global ThreatCon Level to an
    index of 8/13 (more dangerous than normal) level. We hope that
    Squirrelmail and #w00w00 members Mudge, Weld Pond and Jonathan Wilkins
    will address these issues in important global internet security
    infrastructure as soon as possible. Remember, it's not responsible
    disclosure to paste their passwords and mail spools into random efnet
    channels. Bugtraq Security Systems also does not approve of replacing
    tarballs on random open-source code repositories with your findings.

    If you have any questions regarding the Global ThreatCon, please visit


    Disable the GPG plugin to Squirrelmail until a patch can be provided.

    Bugtraq Data Tracer:

    Requests to get on the early beta release list for BSS Data Tracer can
    be sent to bugtraq@bugtraq.org. Please include a name, contact email,
    phone number, address, and the hours in which you can be reached. A
    sales executive will contact you shortly.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

            CAN-2003-0990 - Squirrelmail input validation flaw

    Bugtraq Security Systems Vulnerability Reporting Policy:

    Bugtraq Security Systems Advisory Archive:

    Bugtraq Security Systems PGP Key:

    Bugtraq Security Systems is currently seeking application security
    experts to fill several consulting positions. Applicants should have
    strong application development skills and be able to perform
    application security design reviews, code reviews, and application
    penetration testing. Please send resumes to jobs@bugtraq.org

    Copyright 2003 Bugtraq Security Systems. All rights reserved.

    Version: GnuPG v1.2.1 (GNU/Linux)

    -----END PGP SIGNATURE-----

  • Next message: Peter Winter-Smith: "[VulnWatch] NetObserve Security Bypass Vulnerability"