EMU Webmail HTTP Host Header Execute Arbitrary Program

2002-04-10T10:58:52
ID OSVDB:5270
Type osvdb
Reporter Leif Jakob(bugtraq@pinguin.weite-welt.com)
Modified 2002-04-10T10:58:52

Description

Vulnerability Description

Upon connecting to the server and supplying a malicious HTTP Host value to emumail, it could be possible for a local user to force the program to open an arbitrary file with privileges equal to the HTTP server process. This could result in the execution of an arbitrary program, supplied by an attacker with local access to the host.

Technical Description

Source fragments from emumail.cgi:

-------------------- CUT HERE -------------------- my $http_host = lc $ENV{'HTTP_HOST'};

if ( -e "$http_host.init" ) { open(INI, "$http_host.init") || debug "Can't open $http_host.init! : $! "; <INI> =~ /page_root\s=\s(\S+)/m; close(INI); $page_root = $1; }

...

open (IN, "$page_root/....."); -------------------- CUT HERE --------------------

By setting a HTTP-Host like "../../../../../tmp/evil" and place a config file with the new pageroot "/tmp/evilprog " it is possible for a local user to hijack the cgi-user on the next open call

Solution Description

Upgrade to version 5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Upon connecting to the server and supplying a malicious HTTP Host value to emumail, it could be possible for a local user to force the program to open an arbitrary file with privileges equal to the HTTP server process. This could result in the execution of an arbitrary program, supplied by an attacker with local access to the host.

References:

Vendor URL: http://www.emumail.com Other Advisory URL: http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0532 Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2002-04/0117.html Keyword: emumail.cgi ISS X-Force ID: 8836 CVE-2002-0532 Bugtraq ID: 4488