Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Apr 2017 04:30:16 -0300
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: Re: SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692)

Stuart,

Your suggested mitigation is good and was in fact already mentioned in
my advisory, see
'VIII. SOLUTION' section of:
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html


As for the utility I just wrote my own C tool that loops through
argv[] and saves it into a file.
If you need something more advanced / already available you can try
auditd rules.


Regards,
Dawid Golunski
https://legalhackers.com  |  https://ExploitBox.io
t: @dawid_golunski



On Tue, Apr 25, 2017 at 5:56 PM, Stuart Gathman <stuart@...hman.org> wrote:
> On 04/24/2017 05:14 PM, Dawid Golunski wrote:
>> SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692)
>>
>> Desc.:
>> SquirrelMail is affected by a critical Remote Code Execution vulnerability
>> which stems from insufficient escaping of user-supplied data when
>> SquirrelMail has been configured with Sendmail as the main transport.
>> An authenticated attacker may be able to exploit the vulnerability
>> to execute arbitrary commands on the target and compromise the remote
>> system.
> We deploy squirrelmail NOT using sendmail for sending mail ($useSendmail
> = false).  There is no reason not to use SMTP instead of running
> sendmail directly.  It doesn't seem to be vulnerable that way - and I
> suggest that as a mitigation.  Just to be sure, after reading this
> advisory I added  $sendmail_path  = '/usr/sbin/false'; (We always avoid
> direct command execution with PHP because PHP is prone to quoting bugs.)
>
> OT: is there already a utility that *safely* logs arguments and stdin
> (as was apparently used to explain the exploit)?  I could write a C
> prog, or a carefully quoted bash script - but would rather use an
> already proven utility.
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ