Date: Tue, 25 May 2010 14:26:18 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: security-2010@...irrelmail.org, security@...de.org, coley@...re.org Subject: Re: CVE Request for Horde and Squirrelmail ----- "Max Olsterd" <max.olsterd@...il.com> wrote: > Hi, > > Is there a CVE number available for the two 0-days exposed during Hack In > The Box Dubai 2010 ? > > Though the exploits were not given during HITB (?), some friends have > recently shown me that they found how both products (Squirrelmail and > Horde) might be abused to be transformed, so that they become some kind > of nmap scanner (banner grab, port scan, etc). It helps at discovering a > remote DMZ, internal LAN, etc, by using those webmails as evil internal > nmap proxies. > > More info available on the slides of the corporate hackers who found the > 0-days : > http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf > -> Squirrelmail: page 69 (post auth vuln) > -> Horde: page 74 (pre auth vuln) > Here goes, there isn't a lot of data on these. For Squirrelmail: Here are some important notes from the slide: * Default plugin <mail_fetch>, emulates POP3 fetcher with fsockopen() PHP functions, Post Authentication only - No verification on IP / PORTS * You can transform SquirrelMail as a kind of Nmap scanner This has been assigned TEHTRI-SA-2010-009 by the discoverer. The danger is that this attack could be used to bypass a firewall. Let's use CVE-2010-1637 for Squirrelmail. For Horde: * You can transform a default Horde installation to a kind of advanced network TCP scanner with banner grabbing, etc Pre-auth TEHTRI-SA-2010-010 Let's use CVE-2010-1638 for Horde If anyone has more links or information for these, please pass them along. Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ