SecurityTracker: Confirm Input Validation Bug Lets Remote Users Execute Arbitrary Commands

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > Confirm

Vendors: Lechnyr, David

Confirm Input Validation Bug Lets Remote Users Execute Arbitrary Commands

SecurityTracker Alert ID: 1009180

SecurityTracker URL: http://securitytracker.com/id/1009180

CVE Reference: CAN-2004-0324 (Links to External Site)

Updated: Mar 23 2004

Original Entry Date: Feb 23 2004

Impact: Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 0.62 and prior versions

Description: A vulnerability was reported in Confirm. A remote user can execute arbitrary commands on the target system.

It is reported that the Confirm procmail script does not properly filter user-supplied input contained in e-mail headers. A remote user can reportedly send a specially crafted e-mail to a user on the target system to cause arbitrary commands to be executed.

The vendor was reportedly notified on February 6, 2004.

Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target user running Confirm.

Solution: The vendor has issued a fixed version (0.70) on February 9, 2004, available at:

http://hr.uoregon.edu/davidrl/confirm/confirm-0.70.tgz

Vendor URL: hr.uoregon.edu/davidrl/confirm/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Message History: None.

Source Message Contents

Date: Mon, 23 Feb 2004 22:14:45 +0100 (CET)
Subject: Lam3rZ Security Advisory #3/2004: A bug in Confirm leads to remote



		Lam3rZ Security Advisory #3/2004

			23 Feb 2004

		Remote command execution in Confirm

Name:			Confirm <=0.62
Severity:		High
Software URL:		http://freshmeat.net/projects/confirm/
Software author:	David Lechnyr <davidrl/at/comcast/dot/net>
Advisory author:	Mariusz Woloszyn <emsi/AT/GTS/dot/PL>
Vendor notified:	Feb 6, 2004
Vendor confirmed:	Feb 6, 2004
Vendor fix:		Feb 9, 2004


Impact:
-------

Confirm is a simple procmail script that uses a pattern-matching
auto-whitelist to help identify unsolicited email.
A forged email headers may lead to a remote command execution under users
(or even root, if root uses confirm) privileges.


Description:
------------

Due to insufficient user supplied data filtering, emails containing special
characters, like ",`,|,;,$ and so on in headers may trick confirm and lead
to command execution.


How to patch:
-------------

Install confirm-0.70 from:
http://hr.uoregon.edu/davidrl/confirm/confirm-0.70.tgz
Please note, that significant changes has happened since previous
version!!!


Regards,

-- 
Mariusz Wo³oszyn
Internet Security Specialist, GTS - Internet Partners

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC