cve-2017-7692
Vulnerability from cvelistv5
Published
2017-04-20 14:00
Modified
2024-08-05 16:12
Severity ?
Summary
SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the "Options > Personal Informations > Email Address" setting.
References
cve@mitre.orghttp://openwall.com/lists/oss-security/2017/04/19/6Mailing List, Third Party Advisory
cve@mitre.orghttp://openwall.com/lists/oss-security/2017/04/27/1
cve@mitre.orghttp://www.debian.org/security/2017/dsa-3852
cve@mitre.orghttp://www.securityfocus.com/bid/98067
cve@mitre.orghttp://www.securitytracker.com/id/1038312
cve@mitre.orghttps://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.htmlExploit, Third Party Advisory
cve@mitre.orghttps://security.gentoo.org/glsa/201709-13
cve@mitre.orghttps://www.exploit-db.com/exploits/41910/
af854a3a-2127-422b-91ae-364da2661108http://openwall.com/lists/oss-security/2017/04/19/6Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://openwall.com/lists/oss-security/2017/04/27/1
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2017/dsa-3852
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/98067
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1038312
af854a3a-2127-422b-91ae-364da2661108https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.htmlExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/201709-13
af854a3a-2127-422b-91ae-364da2661108https://www.exploit-db.com/exploits/41910/
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:12:27.894Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html"
          },
          {
            "name": "98067",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/98067"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2017/04/19/6"
          },
          {
            "name": "41910",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/41910/"
          },
          {
            "name": "GLSA-201709-13",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201709-13"
          },
          {
            "name": "DSA-3852",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2017/dsa-3852"
          },
          {
            "name": "1038312",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038312"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2017/04/27/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-04-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It\u0027s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn\u0027t escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it\u0027s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the \"Options \u003e Personal Informations \u003e Email Address\" setting."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-03T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html"
        },
        {
          "name": "98067",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/98067"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://openwall.com/lists/oss-security/2017/04/19/6"
        },
        {
          "name": "41910",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/41910/"
        },
        {
          "name": "GLSA-201709-13",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201709-13"
        },
        {
          "name": "DSA-3852",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2017/dsa-3852"
        },
        {
          "name": "1038312",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038312"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://openwall.com/lists/oss-security/2017/04/27/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-7692",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It\u0027s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn\u0027t escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it\u0027s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the \"Options \u003e Personal Informations \u003e Email Address\" setting."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html",
              "refsource": "MISC",
              "url": "https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html"
            },
            {
              "name": "98067",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/98067"
            },
            {
              "name": "http://openwall.com/lists/oss-security/2017/04/19/6",
              "refsource": "MISC",
              "url": "http://openwall.com/lists/oss-security/2017/04/19/6"
            },
            {
              "name": "41910",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/41910/"
            },
            {
              "name": "GLSA-201709-13",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201709-13"
            },
            {
              "name": "DSA-3852",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2017/dsa-3852"
            },
            {
              "name": "1038312",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038312"
            },
            {
              "name": "http://openwall.com/lists/oss-security/2017/04/27/1",
              "refsource": "MISC",
              "url": "http://openwall.com/lists/oss-security/2017/04/27/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-7692",
    "datePublished": "2017-04-20T14:00:00",
    "dateReserved": "2017-04-11T00:00:00",
    "dateUpdated": "2024-08-05T16:12:27.894Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-7692\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-04-20T14:59:00.177\",\"lastModified\":\"2024-11-21T03:32:28.533\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It\u0027s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn\u0027t escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it\u0027s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the \\\"Options \u003e Personal Informations \u003e Email Address\\\" setting.\"},{\"lang\":\"es\",\"value\":\"SquirrelMail versi\u00f3n 1.4.22 (y otras versiones anteriores a 20170427_0200-SVN), permite la ejecuci\u00f3n de c\u00f3digo remota de autenticaci\u00f3n posterior por medio de un archivo sendmail.cf que es manejado inapropiadamente en una llamada emergente. Es posible explotar esta vulnerabilidad para ejecutar comandos de shell arbitrarios en el servidor remoto. El problema est\u00e1 en el archivo Deliver_SendMail.class.php con la funci\u00f3n initStream que usa escapeshellcmd() para sanear el comando sendmail antes de ejecutarlo. El uso de escapeshellcmd() no es correcto en este caso, ya que no escapa de espacios en blanco, lo que permite la inyecci\u00f3n de par\u00e1metros de comando arbitrario. El problema est\u00e1 en -f$envelopefrom dentro de la l\u00ednea de comando de sendmail. Por lo tanto, si el servidor de destino usa sendmail y SquirrelMail est\u00e1 configurado para usarlo como un programa de l\u00ednea de comandos, es posible enga\u00f1ar a sendmail para que use un archivo de configuraci\u00f3n proporcionado por un atacante que activa la ejecuci\u00f3n de un comando arbitrario. Para su explotaci\u00f3n, el atacante debe cargar un archivo sendmail.cf como un archivo adjunto de correo electr\u00f3nico e inyectar el nombre de archivo sendmail.cf con la opci\u00f3n -C dentro de la configuraci\u00f3n \\\"Options ) Personal Information ) Email Address\\\".\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squirrelmail:squirrelmail:1.4.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7C38706-0DAB-45C2-8D50-9EE10930A7D7\"}]}]}],\"references\":[{\"url\":\"http://openwall.com/lists/oss-security/2017/04/19/6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://openwall.com/lists/oss-security/2017/04/27/1\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2017/dsa-3852\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/98067\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1038312\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201709-13\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.exploit-db.com/exploits/41910/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://openwall.com/lists/oss-security/2017/04/19/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://openwall.com/lists/oss-security/2017/04/27/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2017/dsa-3852\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/98067\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1038312\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201709-13\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.exploit-db.com/exploits/41910/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.