The proof of concept contains payloads for two vectors, file write, and remote code execution, It requires user credentials and that SquirrelMail uses Sendmail. Golunski documented the vulnerability in a video published earlier this week: In a proof of concept built by Golunski, he shows how an attacker could inject specific parameters to a malicious Sendmail config file, which can then be uploaded as an attachment to carry out arbitrary command execution. The researcher said that when it uses Sendmail, SquirrelMail failed to take into account a character that can be used by attackers to inject additional parameters. Sendmail, perhaps the most popular mail transfer agent, often comes configured as default on email environments. Remote Code Exec #exploit #0day #cybersecurity #infosec #vuln #hacking #rce The researcher, who disclosed the vulnerability in a write-up on his site last Friday, said it stemmed from insufficient escaping of user-supplied data when the package is configured with Sendmail as its main transport. In a description of the bug on the package’s site, SquirrelMail confirmed that some builds were vulnerable to a “command-line argument injection exploit that could allow arbitrary code execution if $edit_identity and $useSendmail are enabled and user has knowledge of the location and permissions on the SquirrelMail attachment directory.” Golunski told Threatpost on Thursday that squirrelmail-20170427_0200-SVN.stable includes a patch for the vulnerability. The researcher has previously uncovered similar remote code execution issues in the email libraries PHPMailer and SwiftMailer.ĭevelopers behind the webmail package had been informed of the vulnerability but it wasn’t clear if it was going to get fixed until a patch arrived yesterday. Developers behind the PHP-based webmail package SquirrelMail patched a remote code execution vulnerability that could let attackers execute arbitrary commands on the target and compromise the system on Thursday.ĭawid Golunski, a researcher with Legal Hackers discovered the vulnerability and reported it to the project’s maintainers in January.
0 Comments
Leave a Reply. |