Title: Endymion MailMan Remote Arbitrary Command Execution Vulnerability
Severity: LOW
Description:
A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26.
The widely-used Perl script provides a web-email interface.
Mailman contains an input validation vulnerability that can lead to remote attackers gaining access to target webservers.
The problem involves the use of Perl's open() function.
The open() function in Perl is used when reading from files, writing to files and executing programs (in a libc popen() manner). It determines which of these operations is desired by a metacharacter in the argument string. The metacharacter for reading from files, for example, is '<'.
Normally this value is hard-coded into the argument string or the program flow determines what it should be. It can be dangerous if the user can control it as the entire i/o operation can be changed.
In MailMan, the metacharacter or 'operator' can be passed to open() by the user inside of an html form variable. In addition, NULL bytes are not removed from the string so the user can control where the data ends.
As a result, a remote user can execute an arbitrary command on the target webserver by supplying the 'execute' character for the open() command string (the '|' character). The data which mailman appends to the user-supplied variable can be effectively removed (as interpreted by the lower-level C calls) by placing a NULL at the end of the command-string (This is not really necessary as open() uses the shell to interpret commands and their arguments when it is executing commands. The user can use shell characters to delimit the commands from the extra data.).
As a result of this manipulation, an attacker can execute arbitrary commands on a vulnerable host.
This vulnerability could be used by a remote attacker to gain interactive local access on the target host.
It is significantly easier for an attacker with interactive local access to a host to obtain root privileges.
Affected Products:
- Endymion MailMan WebMail 3.0.0
- Endymion MailMan WebMail 3.0.1
- Endymion MailMan WebMail 3.0.10
- Endymion MailMan WebMail 3.0.11
- Endymion MailMan WebMail 3.0.12
- Endymion MailMan WebMail 3.0.13
- Endymion MailMan WebMail 3.0.14
- Endymion MailMan WebMail 3.0.15
- Endymion MailMan WebMail 3.0.16
- Endymion MailMan WebMail 3.0.18
- Endymion MailMan WebMail 3.0.19
- Endymion MailMan WebMail 3.0.20
- Endymion MailMan WebMail 3.0.21
- Endymion MailMan WebMail 3.0.22
- Endymion MailMan WebMail 3.0.23
- Endymion MailMan WebMail 3.0.24
- Endymion MailMan WebMail 3.0.25
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
