[board] Fwd: [ppelanne at hostgator.com: Horde Webmail file inclusion proof of concept & patch.]

Jan Schneider jan at horde.org
Fri Mar 7 16:39:05 UTC 2008


Geez, these guys just informed us yesterday, and I even replied to  
them already. Very helpful. And their exploit is even wrong.

Zitat von Kevin Konowalec <webadmin at ualberta.ca>:

> Hey guys,
>
> So I'm wondering if we shouldn't have a formalized procedure/practice
> for getting things like this out to the masses?  Seems like it would
> be the prudent thing to do...
>
> K
>
>
>
>
> Begin forwarded message:
>>
>> ----- Forwarded message from ppelanne at hostgator.com -----
>>
>> From: ppelanne at hostgator.com
>> To: bugtraq at securityfocus.com
>> Subject: Horde Webmail file inclusion proof of concept & patch.
>>
>> Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept
>> & patch.
>>
>> A severe security vulnerability affects any unix distribution
>> running version 3.1.6 of the Horde webmail client included in most
>> popular webhosting control panels. All previous versions are also
>> affected and it is believed although not yet proven that Horde
>> Groupware is also vulnerable.
>>
>> Details are as follows:
>>
>> David Collins and Patrick Pelanne along with the rest of the
>> HostGator.com LLC support team discovered that Horde was not
>> properly sanitizing POST variables for several options including
>> it's themes. By maliciously modifying POST data sent to the client
>> the attacker can modify the location of the theme variable and Horde
>> will subsequently insert this information into it's database. By
>> modifying this POST variable one can allow for directory traversal
>> and file inclusion which can lead to full root privilege escalation.
>>
>> Proof of concept:
>>
>> Data injected through malicious tampering of POST data:
>>
>> mysql> select * from horde_prefs where
>> pref_uid='bbarker at hostgator.com' and  pref_name='theme';
>> +-------------------------+------------+-----------
>> +
>> ----------------------------------------------------------------------------------------------------------------------------+
>> | pref_uid                | pref_scope | pref_name |
>> pref_value
>>                                                                      
>>                                              |
>> +-------------------------+------------+-----------
>> +
>> ----------------------------------------------------------------------------------------------------------------------------+
>> | bbarker at hostgator.com | horde      | theme
>> |  
>> ../../../../../../../../../../../../../../../../../../tmp/.horde/imp/attachments/bbarker at hostgator.com
>> /1204804402/t.txt  |
>>
>> Shown above, the malicious POST variable was inserted into the
>> database and now points to the malicious code denoted by t.txt
>>
>> A truncated strace shows the access and execution of the malicious
>> code when the user enters the Horde webmail client:
>>
>> 31852 lstat64("/usr", {st_dev=makedev(3, 3), st_ino=2,
>> st_mode=S_IFDIR|0755, st_nlink=18, st_uid=0, st_gid=0,
>> st_blksize=4096, st_blocks=16, st_size=4096, s$
>> 31852 lstat64("/usr/local", {st_dev=makedev(3, 3), st_ino=608001,
>> st_mode=S_IFDIR|0755, st_nlink=26, st_uid=0, st_gid=0,
>> st_blksize=4096, st_blocks=16, st_s$
>> 31852 lstat64("/usr/local/cpanel", {st_dev=makedev(3, 3),
>> st_ino=18539, st_mode=S_IFDIR|0711, st_nlink=37, st_uid=0,
>> st_gid=10, st_blksize=4096, st_blocks=8$
>> 31852 lstat64("/usr/local/cpanel/base", {st_dev=makedev(3, 3),
>> st_ino=85078, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=0, st_gid=0,
>> st_blksize=4096, st_bloc$
>> 31852 lstat64("/usr/local/cpanel/base/horde", {st_dev=makedev(3, 3),
>> st_ino=85388, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=32002,
>> st_gid=32004, st_blksize$
>> 31852 lstat64("/usr/local/cpanel/base/horde/config",
>> {st_dev=makedev(3, 3), st_ino=115868, st_mode=S_IFDIR|0755,
>> st_nlink=2, st_uid=32002, st_gid=32004, st_$
>> 31852 lstat64("/usr/local/cpanel/base/horde/themes",
>> {st_dev=makedev(3, 3), st_ino=86796, st_mode=S_IFDIR|0755,
>> st_nlink=28, st_uid=32002, st_gid=32004, st_$
>> 31852 lstat64("/tmp", {st_dev=makedev(7, 1), st_ino=2,
>> st_mode=S_IFDIR|S_ISVTX|0777, st_nlink=9, st_uid=0, st_gid=0,
>> st_blksize=4096, st_blocks=64, st_size=$
>> 31852 lstat64("/tmp/.horde", {st_dev=makedev(7, 1), st_ino=38609,
>> st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004,
>> st_blksize=4096, st_blocks=2$
>> 31852 lstat64("/tmp/.horde/imp", {st_dev=makedev(7, 1),
>> st_ino=38610, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002,
>> st_gid=32004, st_blksize=4096, st_bloc$
>> 31852 lstat64("/tmp/.horde/imp/attachments", {st_dev=makedev(7, 1),
>> st_ino=38611, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002,
>> st_gid=32004, st_blksize=4$
>> 31852 lstat64("/tmp/.horde/imp/attachments/patrick at hostgator.com",
>> {st_dev=makedev(7, 1), st_ino=38612, st_mode=S_IFDIR|0700,
>> st_nlink=3, st_uid=32002, st$
>> 31852 lstat64("/tmp/.horde/imp/attachments/patrick at hostgator.com/
>> 1204804402", {st_dev=makedev(7, 1), st_ino=38613, st_mode=S_IFDIR|
>> 0700, st_nlink=2, st_ui$
>> 31852 lstat64("/tmp/.horde/imp/attachments/patrick at hostgator.com/
>> 1204804402/t.txt", {st_dev=makedev(7, 1), st_ino=38614,
>> st_mode=S_IFREG|0600, st_nlink=1,$
>> 31852 open("/tmp/.horde/imp/attachments/patrick at hostgator.com/
>> 1204804402/t.txt", O_RDONLY) = 4
>>
>> We have also included a patch below for this vulnerability tested on
>> Horde v2.105.4.8 2006/07/29 16:49:19
>>
>>
>> --- horde/lib/Horde/Prefs.php   2008-03-06 21:14:38.000000000 -0600
>> +++ horde/lib/Horde/Prefs.patched       2008-03-06
>> 20:10:56.000000000 -0600
>> @@ -325,12 +325,23 @@
>>         }
>>
>>         return (isset($this->_prefs[$pref]['v'])) ?
>> -            ($convert ?
>> +            $this->_fixhole($pref,$convert ?
>>              $this->convertFromDriver($this->_prefs[$pref]['v'],
>> $charset) :
>>              $this->_prefs[$pref]['v']) :
>>             null;
>>     }
>>
>> +function _fixhole($pref,$value) {
>> +      $sanitize = '/^[a-z0-9._-]+$/i';
>> +      if (preg_match($sanitize, $value) && $pref == 'theme') {
>> +              return $value;
>> +      } elseif ($pref == 'theme') {
>> +                return "mozilla";
>> +      } else {
>> +                return $value;
>> +      }
>> +}
>> +
>>     function __get($name)
>>     {
>>         return $this->getValue($name);
>>
>>
>> -- Begin Signature --
>> HostGator.com is looking for qualified systems administrators.
>> Please send an e-mail to jobs at hostgator.com with your resume!
>>
>>
>> ----- End forwarded message -----
>>
>> --
>> #!/usr/bin/perl
>> if ((not 0 && not 1) !=  (! 0 && ! 1)) {
>>   print "Larry and Tom must smoke some really primo stuff...\n";
>> }
>>
>
> __
> board mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: board-unsubscribe at lists.horde.org
>



Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the board mailing list