CVE-2017-7692
SquirrelMail < 1.4.22 - Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the "Options > Personal Informations > Email Address" setting.
SquirrelMail versión 1.4.22 (y otras versiones anteriores a 20170427_0200-SVN), permite la ejecución de código remota de autenticación posterior por medio de un archivo sendmail.cf que es manejado inapropiadamente en una llamada emergente. Es posible explotar esta vulnerabilidad para ejecutar comandos de shell arbitrarios en el servidor remoto. El problema está en el archivo Deliver_SendMail.class.php con la función initStream que usa escapeshellcmd() para sanear el comando sendmail antes de ejecutarlo. El uso de escapeshellcmd() no es correcto en este caso, ya que no escapa de espacios en blanco, lo que permite la inyección de parámetros de comando arbitrario. El problema está en -f$envelopefrom dentro de la línea de comando de sendmail. Por lo tanto, si el servidor de destino usa sendmail y SquirrelMail está configurado para usarlo como un programa de línea de comandos, es posible engañar a sendmail para que use un archivo de configuración proporcionado por un atacante que activa la ejecución de un comando arbitrario. Para su explotación, el atacante debe cargar un archivo sendmail.cf como un archivo adjunto de correo electrónico e inyectar el nombre de archivo sendmail.cf con la opción -C dentro de la configuración "Options ) Personal Information ) Email Address".
SquirrelMail versions 1.4.22 and below suffer from a remote code execution vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-04-11 CVE Reserved
- 2017-04-19 CVE Published
- 2024-06-12 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
http://openwall.com/lists/oss-security/2017/04/19/6 | Mailing List | |
http://openwall.com/lists/oss-security/2017/04/27/1 | X_refsource_misc | |
http://www.securityfocus.com/bid/98067 | Vdb Entry | |
http://www.securitytracker.com/id/1038312 | Vdb Entry |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/41910 | 2024-08-05 | |
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html | 2024-08-05 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.debian.org/security/2017/dsa-3852 | 2017-11-04 | |
https://security.gentoo.org/glsa/201709-13 | 2017-11-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Squirrelmail Search vendor "Squirrelmail" | Squirrelmail Search vendor "Squirrelmail" for product "Squirrelmail" | 1.4.22 Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.22" | - |
Affected
|