Vulnerabilities > CVE-2009-4111 - Code Injection vulnerability in Pear Mail 1.1.14/1.2.0B2

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
pear
CWE-94
nessus

Summary

Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023.

Vulnerable Configurations

Part Description Count
Application
Pear
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_PHP5-PEAR-MAIL-101022.NASL
    descriptionPassing specially crafted $from and $recepient arguments to php5-pear-mail
    last seen2020-06-01
    modified2020-06-02
    plugin id50369
    published2010-10-28
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50369
    titleopenSUSE Security Update : php5-pear-mail (openSUSE-SU-2010:0909-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update php5-pear-mail-3379.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50369);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:38");
    
      script_cve_id("CVE-2009-4023", "CVE-2009-4111");
    
      script_name(english:"openSUSE Security Update : php5-pear-mail (openSUSE-SU-2010:0909-1)");
      script_summary(english:"Check for the php5-pear-mail-3379 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Passing specially crafted $from and $recepient arguments to
    php5-pear-mail's sendmail.php allowed attackers to inject shell code
    (CVE-2009-4023, CVE-2009-4111)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=558259"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=630334"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-10/msg00038.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected php5-pear-mail package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(94);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pear-mail");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.1", reference:"php5-pear-mail-1.1.14-1.135.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php5-pear-mail");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-12395.NASL
    descriptionFix CVE-2009-4023, CVE-2009-4111 PEAR
    last seen2020-06-01
    modified2020-06-02
    plugin id42939
    published2009-12-01
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42939
    titleFedora 12 : php-pear-Mail-1.1.14-5.fc12 (2009-12395)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2009-12395.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42939);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:29");
    
      script_cve_id("CVE-2009-4023");
      script_bugtraq_id(37081);
      script_xref(name:"FEDORA", value:"2009-12395");
    
      script_name(english:"Fedora 12 : php-pear-Mail-1.1.14-5.fc12 (2009-12395)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fix CVE-2009-4023, CVE-2009-4111 PEAR's Mail class did not properly
    escape content of mail header fields, when using the sendmail backend.
    A remote attacker could send an email message, with specially crafted
    headers to local user, leading to disclosure of content and
    potentially, to modification of arbitrary system file, once the email
    message was processed by the PEAR's Mail class.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=540842"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2009-December/031884.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8b7eb07d"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected php-pear-Mail package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(94);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-pear-Mail");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:12");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^12([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 12.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC12", reference:"php-pear-Mail-1.1.14-5.fc12")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-pear-Mail");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-025.NASL
    descriptionMultiple vulnerabilities were discovered and corrected in php-pear (Mail) : Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted parameter, a different vector than CVE-2009-4111 (CVE-2009-4023). Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023 (CVE-2009-4111). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id44303
    published2010-01-26
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44303
    titleMandriva Linux Security Advisory : php-pear-Mail (MDVSA-2010:025)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2010:025. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44303);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:53");
    
      script_cve_id("CVE-2009-4023", "CVE-2009-4111");
      script_bugtraq_id(37081);
      script_xref(name:"MDVSA", value:"2010:025");
    
      script_name(english:"Mandriva Linux Security Advisory : php-pear-Mail (MDVSA-2010:025)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities were discovered and corrected in php-pear
    (Mail) :
    
    Argument injection vulnerability in the sendmail implementation of the
    Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for
    PEAR allows remote attackers to read and write arbitrary files via a
    crafted parameter, a different vector than CVE-2009-4111
    (CVE-2009-4023).
    
    Argument injection vulnerability in Mail/sendmail.php in the Mail
    package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows
    remote attackers to read and write arbitrary files via a crafted
    parameter, and possibly other parameters, a different vulnerability
    than CVE-2009-4023 (CVE-2009-4111).
    
    Packages for 2008.0 are provided for Corporate Desktop 2008.0
    customers.
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected php-pear and / or php-pear-Mail packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(94);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pear-Mail");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"php-pear-5.2.4-1.1mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.0", reference:"php-pear-5.2.6-6.1mdv2009.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.1", reference:"php-pear-5.2.9-1.1mdv2009.1", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2010.0", reference:"php-pear-Mail-1.2.0-0.b1.2.1mdv2010.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-12439.NASL
    descriptionFix CVE-2009-4023, CVE-2009-4111 PEAR
    last seen2020-06-01
    modified2020-06-02
    plugin id42940
    published2009-12-01
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42940
    titleFedora 10 : php-pear-Mail-1.1.14-5.fc10 (2009-12439)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201412-09.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201412-09 (Multiple packages, Multiple vulnerabilities fixed in 2011) Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. FMOD Studio PEAR Mail LVM2 GnuCash xine-lib Last.fm Scrobbler WebKitGTK+ shadow tool suite PEAR unixODBC Resource Agents mrouted rsync XML Security Library xrdb Vino OProfile syslog-ng sFlow Toolkit GNOME Display Manager libsoup CA Certificates Gitolite QtCreator Racer Impact : A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround : There are no known workarounds at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id79962
    published2014-12-15
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79962
    titleGLSA-201412-09 : Multiple packages, Multiple vulnerabilities fixed in 2011
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-12348.NASL
    descriptionFix CVE-2009-4023, CVE-2009-4111 PEAR
    last seen2020-06-01
    modified2020-06-02
    plugin id42937
    published2009-12-01
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42937
    titleFedora 11 : php-pear-Mail-1.1.14-5.fc11 (2009-12348)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 37395 CVE ID: CVE-2009-4111 PEAR是“PHP扩展和应用库”的缩写,用于为PHP用户提供结构化的开源代码库。 PEAR的Mail软件包中Mail/sendmail.php没有正确地过滤$recipients参数,远程攻击者可以通过提交恶意请求读写任意文件。 PEAR Mail 1.1.4 厂商补丁: Debian ------ Debian已经为此发布了一个安全公告(DSA-1938-1)以及相应补丁: DSA-1938-1:New php-mail packages fix insufficient input sanitising 链接:http://www.debian.org/security/2009/dsa-1938 补丁下载: Source archives: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6.orig.tar.gz Size/MD5 checksum: 13702 47b38a06acdec73c4d8c01f9d7e5e8e2 http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6-2+etch1.diff.gz Size/MD5 checksum: 3310 64425237844fed79a4b71aa34ccb0cee http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6-2+etch1.dsc Size/MD5 checksum: 689 93c32b0cb655191ac6edb48013d18921 Architecture independent packages: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6-2+etch1_all.deb Size/MD5 checksum: 17884 a2abda15da9ddab5f1590198cc852b3f Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14-1+lenny1.dsc Size/MD5 checksum: 1258 6d361bf9406e9195813b4396bb7d5c13 http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14.orig.tar.gz Size/MD5 checksum: 17537 e50da58b6b787b3903ce4d07dc791bb2 http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14-1+lenny1.diff.gz Size/MD5 checksum: 4105 a8154d9e86e98a591dfc9e84210ce163 Architecture independent packages: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14-1+lenny1_all.deb Size/MD5 checksum: 21904 d5184514df44b348582071748e855c32 补丁安装方法: 1. 手工安装补丁包: 首先,使用下面的命令来下载补丁软件: # wget url (url是补丁下载链接地址) 然后,使用下面的命令来安装补丁: # dpkg -i file.deb (file是相应的补丁名) 2. 使用apt-get自动安装补丁包: 首先,使用下面的命令更新内部数据库: # apt-get update 然后,使用下面的命令安装更新软件包: # apt-get upgrade PEAR ---- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://pear.php.net/bugs/bug.php?id=16200&amp;edit=12&amp;patch=quick-fix&amp;revision=1241757412
idSSV:15129
last seen2017-11-19
modified2009-12-23
published2009-12-23
reporterRoot
titlePEAR Mail软件包Recipient参数注入漏洞