CVE-2017-7692

{"id": "CVE-2017-7692", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-04-20T14:59:00.177", "references": [{"url": "http://openwall.com/lists/oss-security/2017/04/19/6", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://openwall.com/lists/oss-security/2017/04/27/1", "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2017/dsa-3852", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/98067", "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id/1038312", "source": "cve@mitre.org"}, {"url": "https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/201709-13", "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/41910/", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the \"Options > Personal Informations > Email Address\" setting."}, {"lang": "es", "value": "SquirrelMail versi\u00f3n 1.4.22 (y otras versiones anteriores a 20170427_0200-SVN), permite la ejecuci\u00f3n de c\u00f3digo remota de autenticaci\u00f3n posterior por medio de un archivo sendmail.cf que es manejado inapropiadamente en una llamada emergente. Es posible explotar esta vulnerabilidad para ejecutar comandos de shell arbitrarios en el servidor remoto. El problema est\u00e1 en el archivo Deliver_SendMail.class.php con la funci\u00f3n initStream que usa escapeshellcmd() para sanear el comando sendmail antes de ejecutarlo. El uso de escapeshellcmd() no es correcto en este caso, ya que no escapa de espacios en blanco, lo que permite la inyecci\u00f3n de par\u00e1metros de comando arbitrario. El problema est\u00e1 en -f$envelopefrom dentro de la l\u00ednea de comando de sendmail. Por lo tanto, si el servidor de destino usa sendmail y SquirrelMail est\u00e1 configurado para usarlo como un programa de l\u00ednea de comandos, es posible enga\u00f1ar a sendmail para que use un archivo de configuraci\u00f3n proporcionado por un atacante que activa la ejecuci\u00f3n de un comando arbitrario. Para su explotaci\u00f3n, el atacante debe cargar un archivo sendmail.cf como un archivo adjunto de correo electr\u00f3nico e inyectar el nombre de archivo sendmail.cf con la opci\u00f3n -C dentro de la configuraci\u00f3n \"Options ) Personal Information ) Email Address\"."}], "lastModified": "2017-11-04T01:29:52.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:squirrelmail:squirrelmail:1.4.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7C38706-0DAB-45C2-8D50-9EE10930A7D7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}