In-Reply-To: <200404170420.32857.matias (at) neiff.com (dot) ar [email concealed]>

Hi,

Did u drink to much when writing this `advisory'? No seriously, you even made a typo in the title of your thread!

did you inform the people at Squirrelmail about this? I located the exact vuln in chpasspwd.c:

----

char User[STR_MAX];

char New_pw[50];

char Old_pw[50];

..

sprintf(User,"%s",argv[1]);

sprintf(Old_pw,"%s",argv[2]);

sprintf(New_pw,"%s",argv[3]);

---

STR_MAX has a value of 100. So as you probably already have seen there occurs a stack based overflow when user, old_pw or new_pw is filled with to much bytes (which come from argv[], commandline). In your `exploitation example' you used local rights to exploits this. However, I think it's also possible to exploit without shell access, using the squirrelmail webinterface itself. I'm at work right now, but when I'm home I'll be looking into creating a PoC exploit for this one.

Best regards,

Peter "blasty" Geissler

P.S. The version of the chpasswd plugin found on the squirrelmail/SF page is still vulnerable to this bug, so I doubt you informed the people at squirrelmail..

>Received: (qmail 32672 invoked from network); 17 Apr 2004 18:56:45 -0000

>Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26)

> by mail.securityfocus.com with SMTP; 17 Apr 2004 18:56:45 -0000

>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])

> by outgoing.securityfocus.com (Postfix) with QMQP

> id 5F4D9145D46; Sat, 17 Apr 2004 20:47:01 -0600 (MDT)

>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm

>Precedence: bulk

>List-Id: <bugtraq.list-id.securityfocus.com>

>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>

>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>

>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>

>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>

>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]

>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]

>Received: (qmail 9581 invoked from network); 17 Apr 2004 01:13:14 -0000

>From: Matias Neiff <matias (at) neiff.com (dot) ar [email concealed]>

>To: bugtraq (at) securityfocus (dot) com [email concealed]

>Subject: Squirrelmail Chpasswod bof

>Date: Sat, 17 Apr 2004 04:20:26 -0300

>User-Agent: KMail/1.5.4

>Organization: Pulso

>MIME-Version: 1.0

>Content-Type: Text/Plain;

> charset="us-ascii"

>Content-Transfer-Encoding: quoted-printable

>Content-Description: clearsigned data

>Content-Disposition: inline

>Message-Id: <200404170420.32857.matias (at) neiff.com (dot) ar [email concealed]>

>

>Hi all

>

>There is a boffer over flow in the chpasswd binary, distributed with the=20

>plugin. This allow to local's user to execute commands as a root.

>=2D--:::Prott:::---

>root@orco:/mnt/hosting/hack/bof# su webmaster

>webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999

>Using address: 0xbfffe325

>bash-2.05b$ ./chpasswd $RET asdf asdf

>The new password is equal to old password. Choose another password.

>sh-2.05b# id

>uid=3D0(root) gid=3D3(sys) groups=3D500(webmaster)

>sh-2.05b#

>=2D--:::end:::---

>

>Bye all

>

>

[ reply ]