Re: SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692)

[Kurt Seifried <kseifried () redhat com>]

On Mon, Apr 24, 2017 at 3:14 PM, Dawid Golunski <dawid () legalhackers com>
wrote:

> SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692)
>
> Desc.:
> SquirrelMail is affected by a critical Remote Code Execution vulnerability
> which stems from insufficient escaping of user-supplied data when
> SquirrelMail has been configured with Sendmail as the main transport.
> An authenticated attacker may be able to exploit the vulnerability
> to execute arbitrary commands on the target and compromise the remote
> system.
>
> Discovered by:
> Dawid Golunski (https://legalhackers.com : https://ExploitBox.io)
> , as well as Filippo Cavallarin (see attached advisory for details)
>
> Official solution:
> Vendor seems to have released a new version of 1.4.23 on
> squirrelmail-20170424_0200-SVN.stable.tar.gz
> which still seems to be vulnerable hence a new subject/thread.

So Squirrelmail's last release was 2011.

**************************************
*** SquirrelMail Stable Series 1.4 ***
**************************************

Version 1.4.22 - 12 July 2011

I don't want to tell people what to do, but the fact is squirrelmail is
probably not something you should be using.



> The exploit from my advisory was also confirmed to work on Ubuntu
> package: '1.4.23~svn20120406-2ubuntu1.16.04.1'.
>
> Hence the updated version in the subject/advisory title.
>
> Full advisory URL:
>
> https://legalhackers.com/advisories/SquirrelMail-
> Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
>
>
>
> --
> Regards,
> Dawid Golunski
> https://legalhackers.com
> https://ExploitBox.io
> t: @dawid_golunski



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com