SquirrelMail 1.4.22 Remote Code Execution
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 795
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ / __ `/ __ `/ / /
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ / __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ / ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
Follow @dawid_golunski
~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~
Interested in security / vulns / exploits ?
Check out the new project of the author of this advisory:
ExploitBox.io
A Playground & Labs for security folks into
hacking & the art of exploitation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
============================================
- Author: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2017-7692
- Release date: 22.04.2017
- Revision 1.0
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
SquirrelMail <= 1.4.22 Remote Code Execution
II. BACKGROUND
-------------------------
"
SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols, and all
pages render in pure HTML 4.0 (with no JavaScript required) for maximum
compatibility across browsers. It has very few requirements and is very easy
to configure and install. SquirrelMail has all the functionality you would
want from an email client, including strong MIME support, address books, and
folder manipulation."
https://squirrelmail.org/about/
III. INTRODUCTION
-------------------------
SquirrelMail is affected by a critical Remote Code Execution vulnerability
which stems from insufficient escaping of user-supplied data when
SquirrelMail has been configured with Sendmail as the main transport.
An authenticated attacker may be able to exploit the vulnerability
to execute arbitrary commands on the target and compromise the remote
system.
IV. DESCRIPTION
-------------------------
The vulnerability is similar to the following vulnerabilities previously discovered
by the author of this advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
When SquirrelMail has been configured with Sendmail as delivery transport,
SquirrelMail uses the following function to send out user emails:
-----[ ./class/deliver/Deliver_SendMail.class.php ]-----
function initStream($message, $sendmail_path, $ignore=0, $ignore='', $ignore='', $ignore='', $ignore='', $ignore=false, $ignore='') {
$rfc822_header = $message->rfc822_header;
$from = $rfc822_header->from[0];
$envelopefrom = trim($from->mailbox.'@'.$from->host);
$envelopefrom = str_replace(array("