Vulnerabilities > CVE-2004-2284 - Remote Command Execution Variant vulnerability in Open WebMail Vacation.PL

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
open-webmail
critical
nessus

Summary

The read_list_from_file function in vacation.pl for OpenWebmail before 2.32 20040629 allows remote attackers to execute arbitrary commands via shell metacharacters in a filename argument.

Nessus

NASL familyCGI abuses
NASL idOPENWEBMAIL_VACATION_INPUT_VALIDATION.NASL
descriptionThe target is running at least one instance of Open WebMail in which the vacation.pl component fails to sufficiently validate user input. This failure enables remote attackers to execute arbitrary programs on a target using the privileges under which the web server operates. For further information, see : http://www.openwebmail.org/openwebmail/download/cert/advisories/SA-04:04.txt If safe_checks are disabled, Nessus attempts to create the file /tmp/nessus_openwebmail_vacation_input_validation on the target.
last seen2020-06-01
modified2020-06-02
plugin id12637
published2004-07-06
reporterThis script is Copyright (C) 2004-2018 George A. Theall
sourcehttps://www.tenable.com/plugins/nessus/12637
titleOpen WebMail vacation.pl Arbitrary Command Execution
code
#
# This script was written by George A. Theall, <[email protected]>.
#
# See the Nessus Scripts License for details.
#

# Changes by Tenable:
# - Changed family (8/6/09)


include("compat.inc");

if (description) {
  script_id(12637);
  script_version("1.17");

  script_cve_id("CVE-2004-2284");
  script_bugtraq_id(10637);

  script_name(english:"Open WebMail vacation.pl Arbitrary Command Execution");
 
 script_set_attribute(attribute:"synopsis", value:
"Arbitrary commands may be run on the remote host." );
 script_set_attribute(attribute:"description", value:
"The target is running at least one instance of Open WebMail in which
the vacation.pl component fails to sufficiently validate user input. 
This failure enables remote attackers to execute arbitrary programs on
a target using the privileges under which the web server operates. 
For further information, see :

  http://www.openwebmail.org/openwebmail/download/cert/advisories/SA-04:04.txt

If safe_checks are disabled, Nessus attempts to create the file
/tmp/nessus_openwebmail_vacation_input_validation on the target." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Open WebMail version 2.32 20040629 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/06");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_summary(english:"Checks for Arbitrary Command Execution flaw in Open WebMail's vacation.pl");
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2020 George A. Theall");
  script_family(english:"CGI abuses");
  script_dependencie("global_settings.nasl", "openwebmail_detect.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

host = get_host_name();
port = get_http_port(default:80, embedded:TRUE);

if (!get_port_state(port)) exit(0);
if (debug_level) display("debug: checking for Arbitrary Command Execution flaw in vacation.pl in Open WebMail on ", host, ":", port, ".\n");

# Check each installed instance, stopping if we find a vulnerability.
installs = get_kb_list(string("www/", port, "/openwebmail"));
if (isnull(installs)) exit(0);
foreach install (installs) {
  matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
  if (!isnull(matches)) {
    ver = matches[1];
    dir = matches[2];
    if (debug_level) display("debug: checking version ", ver, " under ", dir, ".\n");

    # nb: intermediate releases of 2.32 from 20040527 - 20040628 are 
    #     vulnerable, as are 2.32 and earlier releases.
    pat = "^(1\.|2\.([0-2]|3[01]|32$|32 20040(5|6[01]|62[0-8])))";
    if (ereg(pattern:pat, string:ver)) {
      # At this point, we know the target is running a potentially vulnerable
      # version. Still, we need to verify that vacation.pl is accessible since
      # one workaround is to simply remove the script from the CGI directory.
      url = string(dir, "/vacation.pl");
      # If safe_checks is disabled, I'll try to create 
      # /tmp/nessus_openwebmail_vacation_input_validation as a PoC 
      # although AFAIK there's no programmatic way to verify this worked 
      # since the script doesn't display results of any commands that might
      # be run.
      if (safe_checks() == 0) url += "?-i+-p/tmp+-ftouch%20/tmp/nessus_openwebmail_vacation_input_validation|";
      if (debug_level) display("debug: retrieving ", url, "...\n");

      req = http_get(item:url, port:port);
      res = http_keepalive_send_recv(port:port, data:req);
      if (isnull(res)) exit(0);           # can't connect
      if (debug_level) display("debug: res =>>", res, "<<\n");

      if (egrep(string:res, pattern:"^HTTP/.* 200 OK")) {
        security_hole(port);
        exit(0);
      }
    }
  }
}