The followig python script exploits this vulnerability to execute an attacker provided bash script on the remote server. Verify the execution of the command with "ls /tmp/executed" on the remote server Go to Options -> Personal Informations and set the following payload as Email Address:ĥ. Upload it as a mail attachment and get it's remote name (ex: lF51mGPJwdqzV3LEDlCdSVNpohzgF7sD)ģ. Mlocal, P=/usr/bin/touch, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,Ģ. Create a rogue sendmail.cf that triggers the execution of a /usr/bin/touch: To reproduce the issue follow these steps:ġ. To use it as commandline (useSendmail directive of the config file set to true).Īlso, the edit_identity directive of the config file must be bet to true, but this is the default configuration. In order to exploit this vulnerability the MTA in use must be sendmail and Squirrelmail must be configured The $envelopefrom variable is controlled by the attacker, hence it's possible to trick sendmail to use anĪttacker-provided configuration file that triggers the execution of an arbitrary command. $stream = popen(escapeshellcmd($this->sendmail_command), "w") $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom" The use of escapeshellcmd() is not correct in this case since it don'tĮscapes whitespaces allowing the injection of arbitrary command parameters. The problem is in Deliver_ on initStream function that uses escapeshellcmd() to sanitize the It's possible to exploit this vulnerability toĮxecute arbitrary shell commands on the remote server. It fails to sanitize a string before passing it to a popen call. Squirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code execution vulnerability because Title: Squirrelmail Remote Code ExecutionĬredit: filippo.cavallarin () wearesegment com It works regardless of if the users have set their own preferences or not.By Thread CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution If you want to force some preference settings for all your users, it's possible when using the Forced Preferences plugin. Save the file as /tmp/default.pref, change to the data directory, and run the following command from the prompt: for l in `ls *.pref` do cat /tmp/default.pref > $l done If you, for example, want mails to display as HTML by default and change the font to a custom one by using CSS, create a file containing: This is a simple shell solution to edit more than one user preference file at once. It's not recommended to delete the preference files, since that will revert all preferences edited by your users, including such settings as their real names.Īn example script TODO: Write a better script (in Perl) providing this functionality and include it the SquirrelMail distribution. If you want to add preferences to existing user accounts, you should edit (manually or by a script) their existing preference files. Note that the default_pref file works only for users that don't have an existing preference file (i.e. If you want to duplicate all settings, you can copy the entire file, but be careful that nothing with your name, mail address, or other personal items get copied. Note that some plugins can have multiple setting lines.Ĭopy those settings into the default_pref file in the data directory. Most plugin settings are identified by the plugin's name being the first thing on the line. It's in the data directory and looks something like username.pref or depending on what your usernames look like.įind the relevant settings. Open the preference file related to the account you used. Log into your own account (or a test account) and get all your configuration set to what you'd like the defaults to be. This is what you need to do to accomplish that. Or you may simply want to change the default theme, etc. As you add plugins to your SquirrelMail installation, you might want to configure some of them on your own account and then propagate those settings to all of your users. If SquirrelMail is configured to use file-based preferences, default preferences are stored in your data directory in a file called default_pref.
0 Comments
Leave a Reply. |