One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351859 |
| Date de publication | 2015-05-20 15:03:17 (vue: 2015-05-20 15:03:17) |
| Titre | CVE-2015-2079: Arbitrary Command Execution in Usermin |
| Texte | While performing a penetration test for a customer, I stumbled across a command execution vulnerability in Usermin that is pretty trivial to identify and to exploit. The interesting part is that this vulnerability survived for almost 13 years. Introduction According to the Usermin Homepage: Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and much more. It is designed for use by regular non-root users on a Unix system, and limits them to tasks that they would be able to perform if logged in via SSH or at the console. Therefore, Usermin can be seen as a web alternative for interactive machine access as a specific system user. But often times in real environments, Usermin is used to limit the user's rights to perform specific actions via the web, for example as a webmailer only. In this case, arbitrary command execution is definitely not a desired feature. Nonetheless, enter CVE-2015-2079, which affects Usermin versions 0.980 (dating back to 2002-12-16) until 1.650 (latest unpatched version of 2015-02-16) by exploiting a specific behavior of Perl's open() function. Summary An authenticated user of Usermin can specify the path to an arbitrary file on the server that should be attached to any new email as a signature via the Signature file configuration in the Other file option. This is due to the function get_signature in usermin/mailbox/mailbox-lib.pl, which calls open() without any prior validation: For what it's worth, that alone poses a vulnerability. But according to an old bug report dating back to 2005, this is not a bug but a feature: This is not really a bug, as normal Unix file permissions still apply, so really critical files like /etc/shadow cannot be used as a signature. Also, the feature for attaching server-side files could be used in the same way Besides that, due to some specific behavior of the Perl function used to open the user specified file, it is possible to provide and execute shell commands. Vulnerability Details Perl's open() function can not just open regular files. If it gets called with just two arguments (i. e., open FILEHANDLE,EXPR), the second argument allows to specify additional behavior via prefixes and suffixes. For example, the open mode can be specified with the prefix for writing to, or >> for appending to the file. And with the prefix or suffix | it is possible to start interprocess communication: Perl's basic open() statement can also be used for unidirectional interprocess communication by either appending or prepending a pipe symbol to the second argument to open(). Since Usermin's call to open() uses the two arguments form, we can provide a shell command enclosed in pipes as the Signature file to execute the provided command whenever the user composes a new email and output is shown within the message text window or when the user edits the signature. Example request as proof-of-concept with a sig_file_free parameter of value |uname -a| which gets sent to /uconfig_save.cgi by a POST request to usermin like this: |
| Envoyé | Oui |
| Condensat | /etc/shadow /mailbox/edit /mailbox/reply /uconfig 08: 13: 16: 2002 2005 2015 2079 2079: 20: 23: 24: 25: 650 660 980 able access according acknowledge across actions additional affects after aimed allows almost alone also alternative although answer: any appending apply arbitrary argument arguments assign@mitre assignment attached attaching authenticated away2015 back based basic basically behavior besides between bug built but call called calls can cannot case cgi cgi: changed changelog changing chose code command commands communication communication: composes concept config configuration console convenience could couple critical custom customer cve dating days definitely designed desired details developer developer2015 developers diff disclosure does due edits either email enclosed enter environments evaluation example execute execution exploit exploiting expr feature feature: fetchmail file filehandle files filters fix fixed form free from full function get gets given handy homepage: however identification identify includes instead interactive interesting interface interprocess introduction just latest lib like limit limits linux logged machine mail mention mentioning message metasploit mode module more much new next non nonetheless normal not now often old only open option org2015 other output parameter part password patch patched path penetration perform performing perl permissions pipe pipes poses possible post prefix prefixes prepending prepends pretty prior probably proof provide provided read readfile reading real really regular release released report request response rights root same save second see seen sent server shell should shown shows side sig signature similarily since some specific specified specify ssh start statement status stumbled subsequent suffix suffixes summary survived symbol system tasks test text textarea: them therefore this: timeline times triggered trivial two uname unidirectional unix unpatched until update use used user usermin usermin/mailbox/config usermin/mailbox/mailbox users uses validation: value version version2015 versions vulnerability vulnerability2015 way web webmail webmailer webmin week2015 weeks what when whenever which will window within without worth would writing years your |uname |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.