The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SquirrelMail G/PGP Plugin Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The <http://www.squirrelmail.org/plugin_view.php?id=153> SquirrelMail
G/PGP Encrpytion Plugin is "a general purpose encryption, decryption, and
digital signature plug-in for SquirrelMail that implements the OpenPGP
standard using GPG". Multiple vulnerabilities have been found in
SquirrelMail's G/PGP plugin which allow command execution and file
inclusion.
DETAILS
SquirrelMail G/PGP Plugin gpg_help.php Local File Inclusion Vulnerability
Remote exploitation of a local file inclusion vulnerability in version 2.0
of the SquirrelMail G/PGP Plugin could allow an authenticated webmail user
to execute arbitrary PHP code under the security context of the running
web server.
Version 2.0 of the SquirrelMail G/PGP Plugin contains an implementation
flaw in the way it includes certain files. Specifically, the
'gpg_help.php' and 'gpg_help_base.php' files will include local files that
are supplied via the 'help' HTTP GET request parameter. An excerpt from
the code follows:
68 // Help body text is inserted here via GET parameter
69 require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );
By using directory traversal specifiers, an attacker can trivially cause
files stored on the Web server to be parsed as PHP code.
Analysis:
Exploitation could allow an attacker to include an arbitrary local file on
the affected host.
Due to the lack of input validation on $GET_['help'], directory traversal
specifiers could be utilized to parse any file on the system as PHP code.
iDefense has confirmed the existence of this vulnerability in version 2.0
of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that
earlier versions of the plug-in are also affected.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to
repeated inquires regarding this vulnerability. Versions since
gpg.2.1devbuild14Jun07 appear to include a fix for this problem. This
problem is not present in the recent 2.1 release made on July 7th, 2007.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4169>
CVE-2006-4169
SquirrelMail G/PGP Plugin gpg_recv_key() Command Injection Vulnerability
Remote exploitation of a command injection vulnerability in the G/PGP
Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail webmail
package allows attackers to execute arbitrary commands with the privileges
of the underlying web server.
The problem specifically exists within the function gpg_recv_key() defined
in gpg_key_functions.php. A call is made to exec() with unfiltered
user-supplied data as demonstrated in the following piece of code:
$command = "$path_to_gpg --batch --no-tty --homedir $gpg_key_dir \
--keyserver hkp://$keyserver --recv-key $searchkeyid 2>&1";
[...]
exec($command, $output, $returnval);
The aforementioned '$keyserver' variable is supplied in the POST data to
the gpg_options.php script. The attacker must have a valid authenticated
session to exploit this vulnerability.
Analysis:
Exploitation of the described vulnerability allows authenticated remote
attackers to execute arbitrary commands with the privileges of the
underlying web server.
This vulnerability could be exploited by webmail users to gain shell
access on the target server and potentially further compromise the system
with local privilege escalation vulnerabilities.
Detection:
iDefense has confirmed the existence of this vulnerability in the latest
version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1.
Furthermore, this vulnerability has been confirmed to exist as early as
version 2.0. Other versions may be affected.
Workaround:
Disable the G/PGP Plugin if it is not required. Alternatively, add the
following line above the initialization of the '$command' variable just
prior to the call to exec():
$keyserver = escapeshellarg($keyserver);
Please note that this is an unofficial source patch, but should be
sufficient as a workaround until an official patch is released from the
vendor.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to
repeated inquires regarding this vulnerability. As such, it remains
unpatched, even in the most current release made on July 7th, 2007.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1924>
CVE-2005-1924
SquirrelMail G/PGP Plugin gpg_check_sign_pgp_mime() Command Injection
Vulnerability
Remote exploitation of a command injection vulnerability in the G/PGP
Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail webmail
package allows attackers to execute arbitrary commands with the privileges
of the underlying web server.
The problem specifically exists within the function
gpg_check_sign_pgp_mime() defined in gpg_hook_functions.php. A call is
made to exec() with unfiltered user-supplied data as demonstrated in the
following piece of code:
$command = "echo -n \"$messageSignedText\" | $path_to_gpg --batch \
--no-tty --homedir $gpg_key_dir --verify ".\
$detachedSignatureFilename."- 2>&1";
if ($debug)
echo "gpg command: ".$command."\";
exec($command, $results, $returnval);
The '$messageSignedText' variable from above contains the stripped e-mail
message.
Analysis:
Exploitation of the described vulnerability allows unauthenticated remote
attackers to execute arbitrary commands with the privileges of the
underlying web server.
Exploitation of this vulnerability occurs when a target webmail user opens
a malicious e-mail message. As such the vulnerability can be exploited by
any attacker who can convince a target user to open a malicious message.
Detection:
iDefense has confirmed the existence of this vulnerability in version 2.0
of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that
earlier versions of the plug-in are also affected.
Workaround:
Disable the G/PGP Plugin if it is not required. Alternatively, add the
following line above the initialization of the '$command' variable just
prior to the call to exec():
$messageSignedText= escapeshellarg($messageSignedText);
Please note that this is an unofficial source patch, but should be
sufficient as a workaround.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to
repeated inquires regarding this vulnerability. Versions since
2.1devbuild12Sep06 appear to include a fix for this problem. This problem
is not present in the recent 2.1 release made on July 7th, 2007.
SquirrelMail G/PGP Plugin deleteKey() Command Injection Vulnerability
Remote exploitation of a command injection vulnerability in the G/PGP
Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail webmail
package allows attackers to execute arbitrary commands with the privileges
of the underlying web server.
The problem specifically exists within the function deleteKey() defined in
gpg_keyring.php. A call is made to exec() with unfiltered user-supplied
data as demonstrated in the following piece of code:
$command = "$path_to_gpg --batch --no-tty --yes --homedir \
$gpg_key_dir $flag $fpr 2>&1";
exec($command, $output, $returnval);
The deleteKey() routine is called from three files: import_key_file.php,
import_key_text.php and keyring_main.php. the '$fpr' variable from above
is supplied in the POST data. The attacker must have a valid authenticated
session to exploit this vulnerability.
Analysis:
Exploitation of the described vulnerability allows authenticated remote
attackers to execute arbitrary commands with the privileges of the
underlying web server.
This vulnerability could be exploited by webmail users to gain shell
access on the target server and potentially further compromise the system
with local privilege escalation vulnerabilities.
Detection:
iDefense has confirmed the existence of this vulnerability in the latest
version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1.
Furthermore, this vulnerability has been confirmed to exist as early as
version 2.0. Other versions may be affected.
Workaround:
Disable the G/PGP Plugin if it is not required. Alternatively, add the
following line above the initialization of the '$command' variable just
prior to the call to exec():
$fpr = escapeshellarg($fpr);
Please note that this is an unofficial source patch, but should be
sufficient as a workaround until an official patch is released from the
vendor.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to
repeated inquires regarding this vulnerability. As such, it remains
unpatched, even in the most current release made on July 7th, 2007.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1924>
CVE-2005-1924
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=555>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=555,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=331>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=331,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330
and
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=329>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=329
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
