[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Remote command execution vulnerabilities in MailMan Webmail

Title: Remote command execution vulnerabilities in MailMan Webmail
Released by: Secure Reality
Date: 6th December 2000
Printable version: Click here
=================================================

Secure Reality Pty Ltd. Security Advisory #5 (SRADV00005)

http://www.securereality.com.au

=================================================



[Title]

Remote command execution vulnerabilities in MailMan Webmail



[Released]

6/11/2000



[Vulnerable]

All 3.x versions of MailMan Webmail below 3.0.26



[Overview]

MailMan is a product by Endymion corporation that provides a web based

interface to email via POP3 and SMTP. MailMan is very popular due to its

amazingly easy setup and operation.



MailMan is written as a Perl CGI script, the version which is shipped to

customers is obfuscated in an attempt to prevent piracy. The code contains

several insecure calls to open() containing user specified data. These calls

can be used to execute commands on the remote server with the permissions of

the user that runs CGI scripts, usually the web server user which is in most

cases 'nobody'.



[Impact]

Remote command execution (with privileges as above)



[Detail]

MailMan uses template files to define the appearance of the output so that

customers can brand the software to their particular service (e.g ISP,

Educational Institution).



In previous versions of MailMan the location of the template files was

static. Versions above 3 developed the ability to have multiple different

sets of template files. The location of the template files is defined by a

form variable called 'ALTERNATE_TEMPLATES'. When opening the alternate

templates MailMan fails to specify the '<' operator to the infamous Perl

open() statement, it then executes an open which looks like the following:



open("$ALTERNATE_TEMPLATES_.html");



Where  is a defined template name. Obviously since we have control

of the $ALTERNATE_TEMPLATES variable we easily use pipe redirection to

execute commands on the remote server. The following request will execute

"id" on a vulnerable remote web server and return the output to the browser:



/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20"Content-Type:%20text%2Fhtml"%3B

echo%20""%20%3B%20id%00



Please note that if $mailman::strLocalTemplateLocation is defined in the

configuration section at the top of the script (it is commented out by

default and is rarely enabled) this attack will fail since we won't be able

to effect the beginning of the open string.



[Fix]

Please upgrade to the latest version of MailMan (3.0.26) at

http://www.endymion.com/products/mailman/download.htm

(Please note all references on the web page indicate the latest version is

3.0.25 as they have not yet been updated, the version downloadable from the

download page _is_ 3.0.26 as can be verified in the comments at the top of

the script)



[Acknowledgements]

Our thanks to Ryan Porter of Endymion Corporation for his extremely

cooperative response to this problem.



[Disclaimer]

Advice, directions and instructions on security vulnerabilities in this

advisory do not constitute: an endorsement of illegal behavior; a guarantee

that protection measures will work; an endorsement of any product or

solution or recommendations on behalf of Secure Reality Pty Ltd. Content is

provided as is and Secure Reality Pty Ltd does not accept responsibility for

any damage or injury caused as a result of its use.








(C) 1999-2000 All rights reserved.