Squirrelmail 1.4.22 is affected by a Remote Code Execution flaw, no fix is available

The popular PHP webmail package SquirrelMail is affected by a remote code execution vulnerability tracked as CVE-2017-7692.

The popular PHP webmail package SquirrelMail is affected by a remote code execution vulnerability tracked as CVE-2017-7692, that could be exploited by hackers to execute arbitrary commands on the target and fully control it.

The recent version, 1.4.22, and prior versions of the package could be affected by the vulnerability.

The issue was discovered by the popular security researcher Dawid Golunski from Legal Hackers, in January the expert reported it to the maintainers of the project.

You remind Golunski as the expert who discovered other RCE flaws in the email libraries PHPMailer and SwiftMailer.

Despite the maintainers have been informed of the issue, it is still unclear if and when the problem will be solved.

The vulnerability stems from insufficient escaping of user-supplied data when the package is configured with Sendmail as its main transport.

“SquirrelMail is affected by a critical Remote Code Execution vulnerability which stems from insufficient escaping of user-supplied data when SquirrelMail has been configured with Sendmail as the main transport.” wrote Golunski in a security advisory.”An authenticated attacker may be able to exploit the vulnerability to execute arbitrary commands on the target and compromise the remote system.”

Sendmail is a popular mail transfer agent that comes configured as default on email environments.

SquirrelMail configured to use Sendmail fails to take into account a character that can be used by hackers to inject additional parameters.

“SquirrelMail allows authenticated users to control envelopefrom (Return-Path) address through the webmail web interface.” continues Golunski.

“As we can see it calls str_replace() to sanitize the user input to prevent injection of additional parameters to the sendmail command.
Unfortunately it does not take into account \t (TAB) character which can be used by attackers to inject additional parameters.”

The advisory includes the proof of concept code to inject specific parameters to a malicious Sendmail config file, which can then be uploaded as an attachment to trigger the RCE flaw.

The PoC code contains payloads for file write and remote code execution,

Golunski decided to publish release the PoC code after that Filippo Cavallarin, CEO at security firm Segment, disclosed the same vulnerability via the Full Disclosure mailing list archives.

Cavallarin also shared the following unofficial patch for the above issue:

BOF
diff -ruN squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php 
squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php
--- squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php  2011-01-06 02:44:03.000000000 +0000
+++ squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php  2017-04-18 
11:42:26.505181944 +0000
@@ -93,9 +93,9 @@
         $envelopefrom = trim($from->mailbox.'@'.$from->host);
         $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
         // save executed command for future reference
-        $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
+        $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . 
escapeshellarg($envelopefrom);
         // open process handle for writing
-        $stream = popen(escapeshellcmd($this->sendmail_command), "w");
+        $stream = popen($this->sendmail_command, "w");
         return $stream;
     }
EOF

Golunski suggests SquirrelMail users of switching to a non-Sendmail transport, like SMTP.

UPDATE April 27, 2017

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –RCE, hacking)

[adrotate banner=”13″]