Openwebmail 1.71 remote root compromise

From: Dmitry Guyvoronsky (demiurg@altaee.com)
Date: 12/18/02

  • Next message: Shutters, Mike: "RE: Password Hole Found In Webshots - (Webshots Confirmed)" 
    Date: Wed, 18 Dec 2002 19:37:59 +0200
From: Dmitry Guyvoronsky <demiurg@altaee.com>
To: bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: MD5

    Security Advisory 12.18.02

    Software : Openwebmail (http://openwebmail.org)
    Version : ?.?? -> 1.71 (current)
    Type : Arbitrary commands execution
    Remote : yes
    Root : yes (!!!)
    Date : December 18, 2002

    I. BACKGROUND

    Openwebmail is a web-bases email system. It contains several Perl CGI
    scripts run under superuser account (suidperl is used).

    II. DESCRIPTION

    Remote exploitation of several errors within the Openwebmail scripts
    could allow a remote attacker to execute arbitrary commands with the
    superuser permissions. Although this requires attacker to be able to put
    2 files on target system (i.e. via ftp or if he has local shell access),
    this is a very serious vulnerability and should be taken seriously.

    Let's inspect the sources:

    - --- openwebmail-abook.pl
    #!/usr/bin/suidperl -T
    ...
    require "openwebmail-shared.pl";
    ...
    openwebmail_init();
    ...
    - ---

    - --- openwebmail-shared.pl
    ...
    sub openwebmail_init {
    ...
       $thissession = param("sessionid"); # (0)
    ...
       $loginname =~ s/\-session\-0.*$//; # (1)

       my $siteconf;
       if ($loginname=~/\@(.+)$/) {
           $siteconf="$config{'ow_etcdir'}/sites.conf/$1"; # (2)
       } else {
           my $httphost=$ENV{'HTTP_HOST'}; $httphost=~s/:\d+$//;
           $siteconf="$config{'ow_etcdir'}/sites.conf/$httphost";
       }
       readconf(\%config, \%config_raw, "$siteconf") if ( -f "$siteconf"); # (3)
    ...
       require $config{'auth_module'}; # (4)
    - ---

    (0) Attacker can pass anything here:
         http://site.url/cgi-bin/openwebmail-abook.pl?sessionid=@[PATH]-session-0

    (1) $loginname now holds [PATH] (i.e. "../../../../../home/ftp/incoming/attacker.conf" )

    (2) $siteconf holds path to custom config file on the server. Attacker
        can upload config file via anonymous ftp (is any), or just put it
        somewhere (if he has local access)

    (3) readconfig() treats $siteconf as a plaintext file every string of which has format:
    - --
    var_name variable_value
    - --
         In our case, <attacker.conf> should contain line
    - --
    auth_module /home/ftp/incoming/exploit.pl
    - --

    (4) <exploit.pl> is executed with superuser permissions (!!!)

    III. DETECTION

    To detect whether or not you are running a vulnerable version of the openwebmail
    software or not, check the responses of cgi scripts. For example:

    - --------
    [user@host][~]: lynx -dump http://site/cgi-bin/openwebmail/openwebmail.pl | grep -i "version"
                            Open WebMail version 1.71
    - --------

    Vulnerable versions are ?.?? -> 1.71

    IV. RECOMENDATIONS

    Temporary disable using of openwebmail until patch will be released by the vendor
    or fix openwebmail-shared.pl, changing

    - ---
       $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
    - ---

    into

    - ---
       $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
       $loginname =~ s/[\.\/\;\|\'\"\`\&]//g;
    - ---

    V. VENDOR FIX

    Software vendor was notified on 2002-12-18.

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6

    iQCVAwUAPgCwzZ50N4jT94ZbAQElSQP/eWwL1uhXtFy7DhxdHh6H7nDUQ84vJRKM
    Ay2a1O/kUWRe8M6AQWsf8tJp+VbxfwJxjhOdridMic2v29+7yehtKVu/vaPljTG4
    mf2tPGLcE6FE/ptdUFlIVWKuo+bC92RDQnTDc//y1fm7GNXBT6LLBsNfXob2tw0R
    J2I07x1eYQg=
    =VRwu
    -----END PGP SIGNATURE-----