Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Openwebmail 1.71 remote root compromise

Openwebmail 1.71 remote root compromise

by Nikola Strahija on December 19th, 2002 Remote exploitation of several errors within the Openwebmail scripts could allow a remote attacker to execute arbitrary commands with the superuser permissions.


Software : Openwebmail (http://openwebmail.org)
Version : ?.?? -> 1.71 (current)
Type : Arbitrary commands execution
Remote : yes
Root : yes (!!!)
Date : December 18, 2002

I. BACKGROUND

Openwebmail is a web-bases email system. It contains several Perl CGI
scripts run under superuser account (suidperl is used).

II. DESCRIPTION

Remote exploitation of several errors within the Openwebmail scripts
could allow a remote attacker to execute arbitrary commands with the
superuser permissions. Although this requires attacker to be able to put
2 files on target system (i.e. via ftp or if he has local shell access),
this is a very serious vulnerability and should be taken seriously.

Let's inspect the sources:

- --- openwebmail-abook.pl
#!/usr/bin/suidperl -T
...
require "openwebmail-shared.pl";
...
openwebmail_init();
...
- ---

- --- openwebmail-shared.pl
...
sub openwebmail_init {
...
$thissession = param("sessionid"); # (0)
...
$loginname =~ s/-session-0.*$//; # (1)

my $siteconf;
if ($loginname=~/@(.+)$/) {
$siteconf="$config{'ow_etcdir'}/sites.conf/$1"; # (2)
} else {
my $httphost=$ENV{'HTTP_HOST'}; $httphost=~s/:d+$//;
$siteconf="$config{'ow_etcdir'}/sites.conf/$httphost";
}
readconf(%config, %config_raw, "$siteconf") if ( -f "$siteconf"); # (3)
...
require $config{'auth_module'}; # (4)
- ---


(0) Attacker can pass anything here:
http://site.url/cgi-bin/[email protected][PATH]-session-0

(1) $loginname now holds [PATH] (i.e. "../../../../../home/ftp/incoming/attacker.conf" )

(2) $siteconf holds path to custom config file on the server. Attacker
can upload config file via anonymous ftp (is any), or just put it
somewhere (if he has local access)

(3) readconfig() treats $siteconf as a plaintext file every string of which has format:
- --
var_name variable_value
- --
In our case, should contain line
- --
auth_module /home/ftp/incoming/exploit.pl
- --

(4) is executed with superuser permissions (!!!)


III. DETECTION

To detect whether or not you are running a vulnerable version of the openwebmail
software or not, check the responses of cgi scripts. For example:

- --------
[[email protected]][~]: lynx -dump http://site/cgi-bin/openwebmail/openwebmail.pl | grep -i "version"
Open WebMail version 1.71
- --------

Vulnerable versions are ?.?? -> 1.71

IV. RECOMENDATIONS

Temporary disable using of openwebmail until patch will be released by the vendor
or fix openwebmail-shared.pl, changing

- ---
$loginname =~ s/-session-0.*$//; # Grab loginname from sessionid
- ---

into

- ---
$loginname =~ s/-session-0.*$//; # Grab loginname from sessionid
$loginname =~ s/[./;|'"`&]//g;
- ---

V. VENDOR FIX

Software vendor was notified on 2002-12-18.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »