11139926 2003-12-24 14:48 -0500 /214 rader/ Bugtraq Security Systems <research@bugtraq.org>
Importerad: 2003-12-26 22:45 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30459>
Ärende: Bugtraq Security Systems ADV-0001
------------------------------------------------------------
From: Bugtraq Security Systems <research@bugtraq.org>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.53.0312241446410.25428@symantec>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bugtraq Security Systems, Incorporated
www.bugtraq.org
Security Advisory
Advisory Name: Command Injection Issue in Squirrelmail
Release Date: 12/24/2003
Application: Squirrelmail
Platform: Linux (IA32)
Linux (sparc)
Linux (sparc64)
Linux (hppa)
Linux (ppc)
Linux (xbox)
Linux (IA64)
SUN Solaris (IA32)
SUN Solaris (sparc)
SUN Solaris (sparc64)
OpenBSD (386)
FreeBSD (386)
SCO OpenServer (All versions)
HPUX (hppa)
HPUX (IA64)
QNX
Compaq True64
Microsoft Windows NT (Alpha)
Microsoft Windows NT (IA32)
Severity: Flaw in input validation allows execution
of arbitrary commands as the Apache user.
Author: The Bugtraq Team, Collectively [bugtraq@bugtraq.org]
Vendor Status: Patches pending.
CVE Candidate: CAN-2003-0990 - Squirrelmail input validation flaw
Reference: www.bugtraq.org/advisories/bssadv0002.txt
Overview:
.-. MERRY X-MAS .~~~.
.;;;;. ( ^_> / whitehat. (\__/) .' )
<;<; \;>\ ! \ /o o \/ .~
<;<; '-.>) \ {o_, \ {
<;<; <'=. | / , , ) \
<;<; '- / `~ '-' \ }
<;,\.\--'` _( ( )_.'
`==`== '---..{____}
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required)
for maximum compatibility across browsers. It has very few
requirements and is very easy to configure and install. SquirrelMail
has all the functionality you would want from an email client,
including strong MIME support, address books, and folder manipulation.
It should also be noted that the internet security rock-star Mudge,
along with several other famed w00w00 members, uses Squirrelmail. We
at Bugtraq Security Systems would expect more proactive auditing of
basic infrastructure used by famed black-hat[1] hackers such as Mudge,
or Weld Pond a.k.a. "Chris Wysopal".
Once the vulnerability has been exploited, access to the affected
machine as the Apache user is gained. This allows an attacker to
co-opt the web site, and the Squirrelmail instance. For example, it is
easy to sniff e-mail and obtain usernames and passwords for
Squirrelmail users, which are identical to their login usernames and
passwords, in most cases.
[1] Out of curiosity, if you break the law, for example, by speeding
in your car, or by taking illegal drugs, but have not yet been caught
at actually hacking into a computer, do you consider yourself to be a
black-hat or a white-hat? Does the color of your hat apply just to
your behavior at a keyboard, or does your behavior in real life also
relate? At what point do you lose your ability to label others as
responsible or not? We at Bugtraq Security Systems find these
rhetorical questions funny. We also find it gut-bustingly hilarious
when drug addicts become volcanos of hypocrisy, spouting off at every
new "blackhat" antic that comes to light. You don't see "Blackhats
Against Crystal Meth" lobbying congress, do you?
Details:
The pictures located at http://www.bugtraq.org/images/demo1.png and
http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
Security Systems software analysis platform. This product, BSS Data
Tracer, allows a software security analysis team to perform automated
checks against many common types of vulnerabilities in both binary and
source code targets.
As the screen shots referenced above show, this product can save
thousands of hours of testing and analysis, providing a significant
return on investment for software development groups. It uses
"tainting" technology which applies data-flow analysis rules to
variables within the program. If a "tainted" variable reaches a
vulnerable API call, such as exec, system, or strcpy, then that place
is marked. A report is then generated for the perusal of security
staff. It should be noted that Bugtraq Security Systems Data Tracer is
a "static analysis" tool, and does not require the program to be
installed or run.
Bugtraq Security Systems has run the beta version of Data Tracer
against many WebMail systems. Most have vulnerabilities similar to the
one recorded in the images above. This particular example is within
the GPG subsystem of Squirrelmail, often installed by security
"experts" who in actuality have the information security knowledge of
cat food.
Adding a ";command;" to the To: line of a newly created e-mail and
then clicking "encrypt now" will execute the command as the Apache
user on recent versions of Squirrelmail, including the current CVS
version. Example:
To: ;echo "YO, dudes. Static analysis ain't rocket science." >> /tmp/message;
<click encrypt now to execute!>
Vendor Response:
Bugtraq Security have attempted to contact the vendor multiple times
since the discovery of these vulnerabilities without success. In
addition, after contacting Weld Pond and Pieter Mudge Zatko directly
via #w00w00 about their vulnerability to this issue, we were rebuffed
for not taking Microsoft-approved measures and first releasing a
press-release regarding our discoveries so we could profit from them,
l0pht-style, and worm our way into Congressional meetings on unrelated
topics where we could brag unnecessarally about our ability to shut
down the Internet, when in fact, we[2] often have problems shutting
down our Windows 2003 partition on our laptops due to the many kernel
trojans competing for time on them.
[2] Weld and Mudge, obviously. Bugtraq Security Systems uses only
QNX. We're realtime like that.
ThreatCon:
The release of this information and the potential for worms based on
proof-of-concept exploits increases the Global ThreatCon Level to an
index of 8/13 (more dangerous than normal) level. We hope that
Squirrelmail and #w00w00 members Mudge, Weld Pond and Jonathan Wilkins
will address these issues in important global internet security
infrastructure as soon as possible. Remember, it's not responsible
disclosure to paste their passwords and mail spools into random efnet
channels. Bugtraq Security Systems also does not approve of replacing
tarballs on random open-source code repositories with your findings.
If you have any questions regarding the Global ThreatCon, please visit
http://www.bugtraq.org/threatcon.html
Recommendation:
Disable the GPG plugin to Squirrelmail until a patch can be provided.
Bugtraq Data Tracer:
Requests to get on the early beta release list for BSS Data Tracer can
be sent to bugtraq@bugtraq.org. Please include a name, contact email,
phone number, address, and the hours in which you can be reached. A
sales executive will contact you shortly.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0990 - Squirrelmail input validation flaw
Bugtraq Security Systems Vulnerability Reporting Policy:
http://www.bugtraq.org/research/policy/
Bugtraq Security Systems Advisory Archive:
http://www.bugtraq.org/advisories.html
Bugtraq Security Systems PGP Key:
http://www.bugtraq.org/pgp_key.asc
Bugtraq Security Systems is currently seeking application security
experts to fill several consulting positions. Applicants should have
strong application development skills and be able to perform
application security design reviews, code reviews, and application
penetration testing. Please send resumes to jobs@bugtraq.org
Copyright 2003 Bugtraq Security Systems. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/6evTd3IqHnpF3voRAtihAJ4kghGpu1jpsje9uSEA9Rr+mG7RnQCfZesd
eYvxW+uzHDF7MP5GKO1b3RI=
=wEzP
-----END PGP SIGNATURE-----
(11139926) /Bugtraq Security Systems <research@bugtraq.org>/
11140153 2003-12-26 11:41 -0600 /164 rader/ Brian G. Peterson <brian@braverock.com>
Importerad: 2003-12-26 23:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Extern kopiemottagare: research@bugtraq.org
Extern kopiemottagare: vuln@secundia.com
Mottagare: Bugtraq (import) <30466>
Ärende: Re: Reported Command Injection in Squirrelmail GPG
------------------------------------------------------------
From: "Brian G. Peterson" <brian@braverock.com>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
Cc: research@bugtraq.org, vuln@secundia.com
Message-ID: <25001.38.115.154.129.1072460478.squirrel@38.115.154.129>
Bugtraq Security Systems released an advisory on Dec 24th to the Full
Disclosure email list about a possible Command Injection Issue in the
GPG subsystem of Squirrelmail. Please note that Bugtraq Security
Systems Inc has no affiliation with the well-regarded official
Bugtraq list at securityfocus.com.
Original full text of the advisory here:
http://www.bugtraq.org/advisories/_BSSADV-0001.txt "Command Injection
Issue in Squirrelmail" and here:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3777.html
"Bugtraq Security Systems XMAS Advisory 0001"
Secundia also copied it here:
http://www.secunia.com/advisories/10493/
"Squirrelmail Address Parsing Execution of Arbitrary Commands"
There are many problems with this 'advisory'. We'll deal with the
technical details first, and then move on to the rest of it.
Summary: The authors of the original 'advisory' claim arbitrary code
execution with the currently released version of Squirrelmail and the
GPG Plugin. This is false. They also claim arbitrary code execution
with current CVS version of the Squirrelmail and GPG code. This is
also false. They further claim to have attempted to contact the
Squirrelmail 'product team' 'several times' before releasing their
vulnerability report. This is also false. No attempt was made to
contact any member of the GPG Plugin team, nor was any contact made
with members of the core Squirrelmail development team or any of the
Squirrelmail development lists.
Despite these inaccuracies and the carefully timed release of a
faulty 'advisory' during the Christmas holiday, we looked into it
immediately.
Details:
> Adding a ";command;" to the To: line of a newly created e-mail and
> then clicking "encrypt now" will execute the command as the Apache
> user on recent versions of Squirrelmail, including the current CVS
> version. Example:
>
> To: ;echo "YO, dudes. Static analysis ain't rocket science." >>
> /tmp/message;
> <click encrypt now to execute!>
Upon digging further, we have discovered that the code for the
reported exploit existed within Squirrelmail itself, previous to
version 1.4.2 during the address parsing.
This is within the rfc822Header object, using the parseAddress
function. The parseAddress code in Squirrelmail 1.4.0 does not
properly completely remove the command noted in the 'advisory' and
previous comments. However, even Squirrelmail 1.4.0 does munge the
attack enough to not exactly function the way the 'advisory' claims.
It is possible that an exploit similar to the one reported in the
'advisory' could potentially be exploitable with GPG Plugin v 1.1 and
SM v 1.4.0.
As of Squirrelmail 1.4.2 this attack is completely unsuccessful.
Squirrelmail 1.4.2 was released on Oct 01, 2003.
Since squirrelmail 1.4.2 contains other security updates, and has been
released for some time, it is HIGHLY recommended that administrators
upgrade immediately anyway.
We plan to investigate this issue more thoroughly in the next day or
two, and potentially update the Squirrelmail parseAddress function to
even more robustly handle potentially malicious code.
Updates as we continue to work towards further securing the GPG
Plugin and the Squirrelmail parseAddress function will be posted on
the GPG Plugin Bugzilla at:
http://www.braverock.com/bugzilla/show_bug.cgi?id=139
> This particular example is within the GPG subsystem of
> Squirrelmail, often installed by security "experts"
> who in actuality have the information security knowledge of
> cat food.
The GPG Plugin for Squirrelmail is not intended for 'security
experts'. The GPG Plugin is a convenience feature only for the
'average' web mail user. It does not claim to be a super high
security method of encrypting email. It is better than sending
postcards across the network. The documentation and online help for
the GPG Plugin explicitly warn users against storing their primary
private keys (if they have them) on an untrusted or unsecured webmail
server. The GPG Plugin for Squirrelmail is not intended to replace
or remove the need for stand-alone, off-line key management and basic
key security for mission critical keys.
> The pictures located at http://www.bugtraq.org/images/demo1.png and
> http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
> Security Systems software analysis platform. This product, BSS Data
> Tracer, allows a software security analysis team to perform automated
> checks against many common types of vulnerabilities in both binary and
> source code targets.
>
> As the screen shots referenced above show, this product can save
> thousands of hours of testing and analysis, providing a significant
> return on investment for software development groups. It uses
> "tainting" technology which applies data-flow analysis rules to
> variables within the program. If a "tainted" variable reaches a
> vulnerable API call, such as exec, system, or strcpy, then that place
> is marked. A report is then generated for the perusal of security
> staff. It should be noted that Bugtraq Security Systems Data Tracer is
> a "static analysis" tool, and does not require the program to be
> installed or run.
We do not appreciate your grand-standing for product placement.
Please get your facts straight.
> Bugtraq Security have attempted to contact the vendor multiple times
> since the discovery of these vulnerabilities without success. In
> addition, after contacting Weld Pond and Pieter Mudge Zatko
My email and the email of the GPG Plugin team are clearly indicated
in the GPG Plugin README, and on the Squirrelmail web site. No one
attempted to contact me or any member of the GPG Plugin team on this
issue.
Further, no attempt was made by 'Bugtraq Security Inc' to contact any
of the official Squirrelmail lists. Communication with the
Squirrelmail development team leads confirms that none of them were
contacted either.
Other individuals that the 'advisory' claims were contacted have also
responded that they were not contacted about this release.
So, to summarize the technical issues, the vulnerability reported in
the 'advisory' is not completely valid at all, but could potentially
be exploitable with GPG Plugin v 1.1 and SM v 1.4.0. Please note that
these are old versions of both the Squirrelmail code and the GPG
Plugin. The claim in the 'advisory' that a vulnerability exists: 'on
recent versions of Squirrelmail, including the current CVS version.'
is just plain false.
To the members of the "Bugtraq Research Team": The members of the GPG
Plugin and Squirrelmail development teams feel that it is a bad
policy to release 'advisories' with so many inaccuracies and outright
lies. Please refrain from doing so in the future.
Regards,
- Brian Peterson
GPG Plugin Team Lead
Squirrelmail Core Development Team Member
SquirrelMail is a popular standards-based webmail package written in
PHP4. It includes built-in pure PHP support for the IMAP and SMTP
protocols.
It is available at:
http://www.squirrelmail.org/
The GPG Plugin for Squirrelmail adds most commonly used GPG
encryption and decryption functions to Squirrelmail for the
convenience of Squirrelmail users. It is available on the
Squirrlemail website and from the GPG Plugin development site at:
http://www.braverock.com/gpg/
(11140153) /Brian G. Peterson <brian@braverock.com>/(Ombruten)