Bugtraq mailing list archives
Re: Squirrelmail Chpasswod bof
From: Peter Geissler <blasty () geekz nl>
Date: 19 Apr 2004 09:16:45 -0000
In-Reply-To: <200404170420.32857.matias () neiff com ar> Hi, Did u drink to much when writing this `advisory'? No seriously, you even made a typo in the title of your thread! did you inform the people at Squirrelmail about this? I located the exact vuln in chpasspwd.c: ---- char User[STR_MAX]; char New_pw[50]; char Old_pw[50]; .. sprintf(User,"%s",argv[1]); sprintf(Old_pw,"%s",argv[2]); sprintf(New_pw,"%s",argv[3]); --- STR_MAX has a value of 100. So as you probably already have seen there occurs a stack based overflow when user, old_pw or new_pw is filled with to much bytes (which come from argv[], commandline). In your `exploitation example' you used local rights to exploits this. However, I think it's also possible to exploit without shell access, using the squirrelmail webinterface itself. I'm at work right now, but when I'm home I'll be looking into creating a PoC exploit for this one. Best regards, Peter "blasty" Geissler P.S. The version of the chpasswd plugin found on the squirrelmail/SF page is still vulnerable to this bug, so I doubt you informed the people at squirrelmail..
Received: (qmail 32672 invoked from network); 17 Apr 2004 18:56:45 -0000 Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 17 Apr 2004 18:56:45 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing.securityfocus.com (Postfix) with QMQP id 5F4D9145D46; Sat, 17 Apr 2004 20:47:01 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 9581 invoked from network); 17 Apr 2004 01:13:14 -0000 From: Matias Neiff <matias () neiff com ar> To: bugtraq () securityfocus com Subject: Squirrelmail Chpasswod bof Date: Sat, 17 Apr 2004 04:20:26 -0300 User-Agent: KMail/1.5.4 Organization: Pulso MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200404170420.32857.matias () neiff com ar> Hi all There is a boffer over flow in the chpasswd binary, distributed with the=20 plugin. This allow to local's user to execute commands as a root. =2D--:::Prott:::--- root@orco:/mnt/hosting/hack/bof# su webmaster webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999 Using address: 0xbfffe325 bash-2.05b$ ./chpasswd $RET asdf asdf The new password is equal to old password. Choose another password. sh-2.05b# id uid=3D0(root) gid=3D3(sys) groups=3D500(webmaster) sh-2.05b# =2D--:::end:::--- Bye all
Current thread:
- Squirrelmail Chpasswod bof Matias Neiff (Apr 17)
- Re: Squirrelmail Chpasswod bof Jonathan Angliss (Apr 19)
- Re: Squirrelmail Chpasswod bof martin f krafft (Apr 19)
- <Possible follow-ups>
- Re: Squirrelmail Chpasswod bof Peter Geissler (Apr 19)
- Re: Squirrelmail Chpasswod bof rip (Apr 19)
- Re: Squirrelmail Chpasswod bof p dont think (Apr 27)