SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
BID:10166
Info
SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
| Bugtraq ID: | 10166 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2004-0524 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 17 2004 12:00AM |
| Updated: | Jul 12 2009 04:06AM |
| Credit: | Discovery is credited to Matias Neiff <[email protected]>. |
| Vulnerable: |
SquirrelMail change_passwd 3.1 -1.2.8 |
| Not Vulnerable: | |
Discussion
SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
The SquirrelMail change_passwd plug-in is prone to a stack-based buffer overrun vulnerability. The issue exists in the backend chpasswd binary.
This vulnerability could potentially be exploited by a local user to execute arbitrary code as root.
It should be noted that the local user may need to have additional privileges to exploit this issue, such as being a member of a special group on the system, such as webmasters or www or to have access to a special user, depending on how the software is configured.
This issue may also be remotely exploitable via the CGI interface of the software.
The SquirrelMail change_passwd plug-in is prone to a stack-based buffer overrun vulnerability. The issue exists in the backend chpasswd binary.
This vulnerability could potentially be exploited by a local user to execute arbitrary code as root.
It should be noted that the local user may need to have additional privileges to exploit this issue, such as being a member of a special group on the system, such as webmasters or www or to have access to a special user, depending on how the software is configured.
This issue may also be remotely exploitable via the CGI interface of the software.
Exploit / POC
SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
The following exploits have been released, an exploit consisting of two source files SPK-chpasswd.c and setegg.c has been supplied by SpikE VrM, a PERL based exploit moron.pl has been supplied by [email protected]:
The following exploits have been released, an exploit consisting of two source files SPK-chpasswd.c and setegg.c has been supplied by SpikE VrM, a PERL based exploit moron.pl has been supplied by [email protected]:
Solution / Fix
SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
Solution:
The vendor has released an upgrade to address this issue:
SquirrelMail change_passwd 3.1 -1.2.8
Solution:
The vendor has released an upgrade to address this issue:
SquirrelMail change_passwd 3.1 -1.2.8
-
SquirrelMail change_passwd-4.0-1.2.8.tar.gz
http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squir relmail.org%2Fplugins%2Fchange_passwd-4.0-1.2.8.tar.gz
References
SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
References:
References:
- change_passwd Plug-in Homepage (SquirrelMail)
- Re: Squirrelmail Chpasswod bof (p dont think
) - Re: Squirrelmail Chpasswod bof (Peter Geissler
) - Re: Squirrelmail Chpasswod bof (
) - Squirrelmail Chpasswod bof (Matias Neiff
)