Published: 20/04/2017 Updated: 04/11/2017

CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 905

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

SquirrelMail 1.4.22 (and other versions prior to 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the "Options > Personal Informations > Email Address" setting.

Vulnerable Product	Search on Vulmon	Subscribe to Product
squirrelmail squirrelmail 1.4.22

Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, a webmail application, incorrectly handled a user-supplied value This would allow a logged-in user to run arbitrary commands on the server For the stable distribution (jessie), this problem has been fixed in version 2:1423~svn20120406-2+deb8u1 We recommend that you upgrade you ...

SquirrelMail 1422 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmailcf file that is mishandled in a popen call It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server The problem is in the Deliver_SendMailclassphp with the initStream funct ...

#!/bin/bash # int='\033[94m __ __ __ __ __ / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) /_____/\___/\__, /\__,_/_/ /_/ /_/\__ ...

Squirrelmail versions 1422 and below suffer from a remote code execution vulnerability ...

SquirrelMail versions 1422 and below suffer from a remote code execution vulnerability ...

CWE-20 http://openwall.com/lists/oss-security/2017/04/19/6 https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html http://openwall.com/lists/oss-security/2017/04/27/1 http://www.securityfocus.com/bid/98067 http://www.securitytracker.com/id/1038312 https://www.exploit-db.com/exploits/41910/https://security.gentoo.org/glsa/201709-13 http://www.debian.org/security/2017/dsa-3852 https://nvd.nist.gov https://www.debian.org/security/./dsa-3852 https://www.exploit-db.com/exploits/41910/

CVE-2017-7692

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect