vpopmail-CGIApps Input Validation Flaws Let Remote Users Execute Arbitrary Commands on the Server
|
|
SecurityTracker Alert ID: 1005483 |
|
SecurityTracker URL: http://securitytracker.com/id/1005483
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 25 2002
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 0.3
|
Description:
An input validation vulnerability was reported in vpopmail-CGIApps, a password changing CGI script for vpopmail. A remote user can execute arbitrary commands on the server.
Centaura Technologies reported that a remote user can provide specially crafted data in the password field or the domain form field to execute arbitrary commands on the server. The flaw is due to insufficient input filtering before a call is made to the os.system() function. User-supplied input can be passed to the shell. The commands will run with the privileges of the script (normally 'vpopmail' user privileges).
The remote user can also add, modify, and delete accounts and domains from the database.
As a demonstration exploit method, place a valid username/password in the first part of the form. Then, in the "new password" field, type "; echo 'test' > /tmp/vpoptest". Repeat the same string on the confirm password field. When the form is submitted, the temporary file will be created.
|
Impact:
A remote user can execute arbitrary commands on the system with the privileges of the CGI script.
|
Solution:
The vendor has released a fixed version (0.3), available at:
ftp://ftp.buscadoc.org/pub/programas/vpopmail-CgiApps_0.3.tgz
However, another user (Jeremy C. Reed) reports that this fix may be only a partial fix. Apparently, the fix does not filter out the backtick character and possibly other characters.
|
Vendor URL: diario.buscadoc.org/index.php?topic=Programas (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 24 Oct 2002 11:26:33 -0300
Subject: vpopmail CGIapps vpasswd vulnerabilities
|
Centaura Technologies Security Research Lab Advisory
Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD
Severity: High Risk
Remote: Yes
Category: Insuficient input checking
Vendor URL: http://diario.buscadoc.org/index.php?topic=Programas
Advisory Author: Ignacio Vazquez
Advisory URL: http://www.centaura.com.ar/infosec/adv/vpopmailCGIapps.txt
Date: 14 October 2002
Advisory Code: CTADVIIC043
.:Introduction
vpopmail-CGIApps is a vpopmail password changer CGI application
written in Python.
.: Impact
An attacker can execute arbitrary code as the setuid user of the
script (normally vpopmail), giving him the posibility to add/modify
and delete accounts/domains from the database.
This can lead to complete e-mail server compromise.
.: Description
By providing a special crafted data in the password field
(typing ; in there), the script executes os.system() function,
changes the password and then executes the command after the ;
.: Exploit.
Put a valid username/password in the first part of the form.
Then, in "new password" field, put: "; echo 'test' > /tmp/vpoptest"
Repeat that string on the confirm password field.
When you send the form a new file in /tmp will be created.
.: Workaround
Before the os.system() method is called:
string.replace(direc, ";", "")
string.replace(passx, ";", "")
os.system('/home/vpopmail/bin/vpasswd' +" "+ direc + " "+ passx)
.: Official Fix Information
The vendor has released version 0.3 in response of this advisory.
-----
Ignacio Vazquez
<ivazquez@centaura.com.ar>
Director of Technology - Security Labs Manager
Centaura Technologies
http://www.centaura.com.ar
|
|
