[board] Fwd: [ppelanne at hostgator.com: Horde Webmail file inclusion proof of concept & patch.]

Kevin Konowalec webadmin at ualberta.ca
Fri Mar 7 16:28:33 UTC 2008 

Hey guys,

So I'm wondering if we shouldn't have a formalized procedure/practice  
for getting things like this out to the masses?  Seems like it would  
be the prudent thing to do...

K




Begin forwarded message:
>
> ----- Forwarded message from ppelanne at hostgator.com -----
>
> From: ppelanne at hostgator.com
> To: bugtraq at securityfocus.com
> Subject: Horde Webmail file inclusion proof of concept & patch.
>
> Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept  
> & patch.
>
> A severe security vulnerability affects any unix distribution  
> running version 3.1.6 of the Horde webmail client included in most  
> popular webhosting control panels. All previous versions are also  
> affected and it is believed although not yet proven that Horde  
> Groupware is also vulnerable.
>
> Details are as follows:
>
> David Collins and Patrick Pelanne along with the rest of the  
> HostGator.com LLC support team discovered that Horde was not  
> properly sanitizing POST variables for several options including  
> it's themes. By maliciously modifying POST data sent to the client  
> the attacker can modify the location of the theme variable and Horde  
> will subsequently insert this information into it's database. By  
> modifying this POST variable one can allow for directory traversal  
> and file inclusion which can lead to full root privilege escalation.
>
> Proof of concept:
>
> Data injected through malicious tampering of POST data:
>
> mysql> select * from horde_prefs where  
> pref_uid='bbarker at hostgator.com' and  pref_name='theme';
> +-------------------------+------------+----------- 
> + 
> ----------------------------------------------------------------------------------------------------------------------------+
> | pref_uid                | pref_scope | pref_name |  
> pref_value 
>                                                                                                                  |
> +-------------------------+------------+----------- 
> + 
> ----------------------------------------------------------------------------------------------------------------------------+
> | bbarker at hostgator.com | horde      | theme      
> | ../../../../../../../../../../../../../../../../../../tmp/.horde/imp/attachments/bbarker at hostgator.com 
> /1204804402/t.txt  |
>
> Shown above, the malicious POST variable was inserted into the  
> database and now points to the malicious code denoted by t.txt
>
> A truncated strace shows the access and execution of the malicious  
> code when the user enters the Horde webmail client:
>
> 31852 lstat64("/usr", {st_dev=makedev(3, 3), st_ino=2,  
> st_mode=S_IFDIR|0755, st_nlink=18, st_uid=0, st_gid=0,  
> st_blksize=4096, st_blocks=16, st_size=4096, s$
> 31852 lstat64("/usr/local", {st_dev=makedev(3, 3), st_ino=608001,  
> st_mode=S_IFDIR|0755, st_nlink=26, st_uid=0, st_gid=0,  
> st_blksize=4096, st_blocks=16, st_s$
> 31852 lstat64("/usr/local/cpanel", {st_dev=makedev(3, 3),  
> st_ino=18539, st_mode=S_IFDIR|0711, st_nlink=37, st_uid=0,  
> st_gid=10, st_blksize=4096, st_blocks=8$
> 31852 lstat64("/usr/local/cpanel/base", {st_dev=makedev(3, 3),  
> st_ino=85078, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=0, st_gid=0,  
> st_blksize=4096, st_bloc$
> 31852 lstat64("/usr/local/cpanel/base/horde", {st_dev=makedev(3, 3),  
> st_ino=85388, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=32002,  
> st_gid=32004, st_blksize$
> 31852 lstat64("/usr/local/cpanel/base/horde/config",  
> {st_dev=makedev(3, 3), st_ino=115868, st_mode=S_IFDIR|0755,  
> st_nlink=2, st_uid=32002, st_gid=32004, st_$
> 31852 lstat64("/usr/local/cpanel/base/horde/themes",  
> {st_dev=makedev(3, 3), st_ino=86796, st_mode=S_IFDIR|0755,  
> st_nlink=28, st_uid=32002, st_gid=32004, st_$
> 31852 lstat64("/tmp", {st_dev=makedev(7, 1), st_ino=2,  
> st_mode=S_IFDIR|S_ISVTX|0777, st_nlink=9, st_uid=0, st_gid=0,  
> st_blksize=4096, st_blocks=64, st_size=$
> 31852 lstat64("/tmp/.horde", {st_dev=makedev(7, 1), st_ino=38609,  
> st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004,  
> st_blksize=4096, st_blocks=2$
> 31852 lstat64("/tmp/.horde/imp", {st_dev=makedev(7, 1),  
> st_ino=38610, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002,  
> st_gid=32004, st_blksize=4096, st_bloc$
> 31852 lstat64("/tmp/.horde/imp/attachments", {st_dev=makedev(7, 1),  
> st_ino=38611, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002,  
> st_gid=32004, st_blksize=4$
> 31852 lstat64("/tmp/.horde/imp/attachments/patrick at hostgator.com",  
> {st_dev=makedev(7, 1), st_ino=38612, st_mode=S_IFDIR|0700,  
> st_nlink=3, st_uid=32002, st$
> 31852 lstat64("/tmp/.horde/imp/attachments/patrick at hostgator.com/ 
> 1204804402", {st_dev=makedev(7, 1), st_ino=38613, st_mode=S_IFDIR| 
> 0700, st_nlink=2, st_ui$
> 31852 lstat64("/tmp/.horde/imp/attachments/patrick at hostgator.com/ 
> 1204804402/t.txt", {st_dev=makedev(7, 1), st_ino=38614,  
> st_mode=S_IFREG|0600, st_nlink=1,$
> 31852 open("/tmp/.horde/imp/attachments/patrick at hostgator.com/ 
> 1204804402/t.txt", O_RDONLY) = 4
>
> We have also included a patch below for this vulnerability tested on  
> Horde v2.105.4.8 2006/07/29 16:49:19
>
>
> --- horde/lib/Horde/Prefs.php   2008-03-06 21:14:38.000000000 -0600
> +++ horde/lib/Horde/Prefs.patched       2008-03-06  
> 20:10:56.000000000 -0600
> @@ -325,12 +325,23 @@
>         }
>
>         return (isset($this->_prefs[$pref]['v'])) ?
> -            ($convert ?
> +            $this->_fixhole($pref,$convert ?
>              $this->convertFromDriver($this->_prefs[$pref]['v'],  
> $charset) :
>              $this->_prefs[$pref]['v']) :
>             null;
>     }
>
> +function _fixhole($pref,$value) {
> +      $sanitize = '/^[a-z0-9._-]+$/i';
> +      if (preg_match($sanitize, $value) && $pref == 'theme') {
> +              return $value;
> +      } elseif ($pref == 'theme') {
> +                return "mozilla";
> +      } else {
> +                return $value;
> +      }
> +}
> +
>     function __get($name)
>     {
>         return $this->getValue($name);
>
>
> -- Begin Signature --
> HostGator.com is looking for qualified systems administrators.  
> Please send an e-mail to jobs at hostgator.com with your resume!
>
>
> ----- End forwarded message -----
>
> -- 
> #!/usr/bin/perl
> if ((not 0 && not 1) !=  (! 0 && ! 1)) {
>   print "Larry and Tom must smoke some really primo stuff...\n";
> }
>

More information about the board mailing list