vpopmail-CGIApps Input Validation Flaws Let Remote Users Execute Arbitrary Commands on the Server
|
|
SecurityTracker Alert ID: 1005483 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 25 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 0.3
|
Description: An input validation vulnerability was reported in vpopmail-CGIApps, a password changing CGI script for vpopmail. A remote user can execute arbitrary commands on the server.
Centaura Technologies reported that a remote user can provide specially crafted data in the password field or the domain form field
to execute arbitrary commands on the server. The flaw is due to insufficient input filtering before a call is made to the os.system()
function. User-supplied input can be passed to the shell. The commands will run with the privileges of the script (normally 'vpopmail'
user privileges).
The remote user can also add, modify, and delete accounts and domains from the database.
As a demonstration
exploit method, place a valid username/password in the first part of the form. Then, in the "new password" field, type "; echo
'test' > /tmp/vpoptest". Repeat the same string on the confirm password field. When the form is submitted, the temporary file
will be created.
|
Impact: A remote user can execute arbitrary commands on the system with the privileges of the CGI script.
|
Solution: The vendor has released a fixed version (0.3), available at:
ftp://ftp.buscadoc.org/pub/programas/vpopmail-CgiApps_0.3.tgz
However,
another user (Jeremy C. Reed) reports that this fix may be only a partial fix. Apparently, the fix does not filter out the backtick
character and possibly other characters.
|
Vendor URL: diario.buscadoc.org/index.php?topic=Programas (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Ignacio Vazquez <n.bugtraq@icana.org.ar>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 24 Oct 2002 11:26:33 -0300
From: Ignacio Vazquez <n.bugtraq@icana.org.ar>
Subject: vpopmail CGIapps vpasswd vulnerabilities
|
Centaura Technologies Security Research Lab Advisory
Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD
Severity: High Risk
Remote: Yes
Category: Insuficient input checking
Vendor URL: http://diario.buscadoc.org/index.php?topic=Programas
Advisory Author: Ignacio Vazquez
Advisory URL: http://www.centaura.com.ar/infosec/adv/vpopmailCGIapps.txt
Date: 14 October 2002
Advisory Code: CTADVIIC043
.:Introduction
vpopmail-CGIApps is a vpopmail password changer CGI application
written in Python.
.: Impact
An attacker can execute arbitrary code as the setuid user of the
script (normally vpopmail), giving him the posibility to add/modify
and delete accounts/domains from the database.
This can lead to complete e-mail server compromise.
.: Description
By providing a special crafted data in the password field
(typing ; in there), the script executes os.system() function,
changes the password and then executes the command after the ;
.: Exploit.
Put a valid username/password in the first part of the form.
Then, in "new password" field, put: "; echo 'test' > /tmp/vpoptest"
Repeat that string on the confirm password field.
When you send the form a new file in /tmp will be created.
.: Workaround
Before the os.system() method is called:
string.replace(direc, ";", "")
string.replace(passx, ";", "")
os.system('/home/vpopmail/bin/vpasswd' +" "+ direc + " "+ passx)
.: Official Fix Information
The vendor has released version 0.3 in response of this advisory.
-----
Ignacio Vazquez
<ivazquez@centaura.com.ar>
Director of Technology - Security Labs Manager
Centaura Technologies
http://www.centaura.com.ar
|
|
