Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 May 2010 17:59:41 +0200
From: Max Olsterd <max.olsterd@...il.com>
To: Thijs Kinkhorst <thijs@...ian.org>
Cc: oss-security@...ts.openwall.com, security-2010@...irrelmail.org
Subject: Re: CVE Request for Horde and Squirrelmail

Hello,

On Fri, May 21, 2010 at 10:44 AM, Thijs Kinkhorst <thijs@...ian.org> wrote:

> Hi Max,
>
> On Thu, May 20, 2010 15:04, Max Olsterd wrote:
> > Hi,
> >
> > Is there a CVE number available for the two 0-days exposed during Hack In
> > The Box Dubai 2010 ?
>
> > More info available on the slides of the corporate hackers who found the
> > 0-days :
> >
> http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf
> > -> Squirrelmail: page 69 (post auth vuln)
>
> I don't think there's a CVE number available for the SquirrelMail "issue",
> but I also highly doubt that it's actually a vulnerability.
>
> What they basically assert is, that as an authenticated user using the
> POP3 fetch mail plugin, you could repeatedly change the POP3 server
> settings and as such could 'portscan' a remote target.
>
> This seems just as much a vulnerability as that you could use telnet, or
> fetchmail, or Thunderbird, to be a 'portscanner', as these all have the
> option to change a remote server address at will. Or that having a shell
> account at a system is a security vulnerability as you would be able to
> write a bash script to repeatedly netcat to remote hosts. I don't buy
> this.
>
> Note that you need to be an authenticated user to do this.
>
>

On the one hand, you're totally right, it looks like something stupid. And
this was exactly what I thought too, at least for the first seconds... What
the hell with something like just scanning a target, as I can scan it myself
??!!

But someone gave me an explanation, with a live hacking demo, and it was
awesome : this guy has been able to scan the LAN of an international ISP
whereas there was a firewall blocking incoming packets to the LAN (DMZ +
internal LAN) !!!

How ?

He had an account on the squirrelmail (ISP) and he has been able to create
an exploit for the advisory we are talking about here. Thanks to that, he
asked squirrelmail to scan some ranges of IP addresses that were private
(10.x.x.x) and unreachable from the outside of this ISP (NAT). Then he found
multiple interesting hosts with unpatched services, which gave him an idea
of how secure it was for real when you are inside. He also used the DNS
scanning attack that was described in the slides of HITB, by bruteforcing
names, and he found other IP addresses (but a firewall blocked the scan so
deep on the LAN).

So, to me, it is a real vulnerability, because those webmails might be used
to scan private networks, which was something I had not understood when I
got an email from my boss asking me to look at this potential issue... And
of course, I thought that it was something that could not happen on a real
ISP. I was wrong: there is a real risk, even if we can keep on claiming
there is no problem, so that it looks cool and secure.

Cheers and thanks for your comment men,

M@X

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.