PDA

Bekijk Volledige Versie : Openwebmail 1.71 remote root compromise



Dmitry Guyvoronsky
19/12/02, 20:15
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5


Security Advisory 12.18.02

Software : Openwebmail (http://openwebmail.org)
Version : ?.?? -> 1.71 (current)
Type : Arbitrary commands execution
Remote : yes
Root : yes (!!!)
Date : December 18, 2002

I. BACKGROUND

Openwebmail is a web-bases email system. It contains several Perl CGI
scripts run under superuser account (suidperl is used).

II. DESCRIPTION

Remote exploitation of several errors within the Openwebmail scripts
could allow a remote attacker to execute arbitrary commands with the
superuser permissions. Although this requires attacker to be able to put
2 files on target system (i.e. via ftp or if he has local shell access),
this is a very serious vulnerability and should be taken seriously.

Let's inspect the sources:

- --- openwebmail-abook.pl
#!/usr/bin/suidperl -T
....
require "openwebmail-shared.pl";
....
openwebmail_init();
....
- ---

- --- openwebmail-shared.pl
....
sub openwebmail_init {
....
$thissession = param("sessionid"); # (0)
....
$loginname =~ s/\-session\-0.*$//; # (1)

my $siteconf;
if ($loginname=~/\@(.+)$/) {
$siteconf="$config{'ow_etcdir'}/sites.conf/$1"; # (2)
} else {
my $httphost=$ENV{'HTTP_HOST'}; $httphost=~s/:\d+$//;
$siteconf="$config{'ow_etcdir'}/sites.conf/$httphost";
}
readconf(\%config, \%config_raw, "$siteconf") if ( -f "$siteconf"); # (3)
....
require $config{'auth_module'}; # (4)
- ---


(0) Attacker can pass anything here:
http://site.url/cgi-bin/openwebmail-abook.pl?sessionid=@[PATH]-session-0

(1) $loginname now holds [PATH] (i.e. "../../../../../home/ftp/incoming/attacker.conf" )

(2) $siteconf holds path to custom config file on the server. Attacker
can upload config file via anonymous ftp (is any), or just put it
somewhere (if he has local access)

(3) readconfig() treats $siteconf as a plaintext file every string of which has format:
- --
var_name variable_value
- --
In our case, <attacker.conf> should contain line
- --
auth_module /home/ftp/incoming/exploit.pl
- --

(4) <exploit.pl> is executed with superuser permissions (!!!)


III. DETECTION

To detect whether or not you are running a vulnerable version of the openwebmail
software or not, check the responses of cgi scripts. For example:

- --------
[user@host][~]: lynx -dump http://site/cgi-bin/openwebmail/openwebmail.pl | grep -i "version"
Open WebMail version 1.71
- --------

Vulnerable versions are ?.?? -> 1.71

IV. RECOMENDATIONS

Temporary disable using of openwebmail until patch will be released by the vendor
or fix openwebmail-shared.pl, changing

- ---
$loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
- ---

into

- ---
$loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
$loginname =~ s/[\.\/\;\|\'\"\`\&]//g;
- ---

V. VENDOR FIX

Software vendor was notified on 2002-12-18.

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAPgCwzZ50N4jT94ZbAQElSQP/eWwL1uhXtFy7DhxdHh6H7nDUQ84vJRKM
Ay2a1O/kUWRe8M6AQWsf8tJp+VbxfwJxjhOdridMic2v29+7yehtKVu/vaPljTG4
mf2tPGLcE6FE/ptdUFlIVWKuo+bC92RDQnTDc//y1fm7GNXBT6LLBsNfXob2tw0R
J2I07x1eYQg=
=VRwu
-----END PGP SIGNATURE-----