Developers behind the PHP-based webmail package SquirrelMail patched a remote code execution vulnerability that could let attackers execute arbitrary commands on the target and compromise the system on Thursday.
Dawid Golunski, a researcher with Legal Hackers discovered the vulnerability and reported it to the project’s maintainers in January. The researcher has previously uncovered similar remote code execution issues in the email libraries PHPMailer and SwiftMailer.
Developers behind the webmail package had been informed of the vulnerability but it wasn’t clear if it was going to get fixed until a patch arrived yesterday.
Golunski told Threatpost on Thursday that squirrelmail-20170427_0200-SVN.stable includes a patch for the vulnerability.
In a description of the bug on the package’s site, SquirrelMail confirmed that some builds were vulnerable to a “command-line argument injection exploit that could allow arbitrary code execution if $edit_identity and $useSendmail are enabled and user has knowledge of the location and permissions on the SquirrelMail attachment directory.”
The researcher, who disclosed the vulnerability in a write-up on his site last Friday, said it stemmed from insufficient escaping of user-supplied data when the package is configured with Sendmail as its main transport.
— Dawid Golunski (@dawid_golunski) April 23, 2017
Sendmail, perhaps the most popular mail transfer agent, often comes configured as default on email environments.
The researcher said that when it uses Sendmail, SquirrelMail failed to take into account a character that can be used by attackers to inject additional parameters. In a proof of concept built by Golunski, he shows how an attacker could inject specific parameters to a malicious Sendmail config file, which can then be uploaded as an attachment to carry out arbitrary command execution.
Golunski documented the vulnerability in a video published earlier this week:
The proof of concept contains payloads for two vectors, file write, and remote code execution, It requires user credentials and that SquirrelMail uses Sendmail.
Golunski was prompted to release his advisory last week after Filippo Cavallarin, the CEO of Segment, an Italian security firm, disclosed the same issue, via the Full Disclosure mailing list archives.
Cavallarin said he elected to disclose the vulnerability after he failed to make contact with the project’s maintainers. Golunski said he did manage to make contact and that a CVE (CVE-2017-5181) was assigned to the vulnerability but that the developers behind the package, citing personal issues, requested some time to patch.
The most recent version, 1.4.22, and prior versions of the package were believed to be vulnerable. Since it’s an open source project and version 1.4.22 was released nearly six years ago, in July 2011, it wasn’t entirely clear if a patch is coming.
Until a patch was pushed Golunski was encouraging users of the package to switch to SMTP-based transport, as opposed to Sendmail. Cavallarin shared an unofficial patch to fix the vulnerability in his disclosure.
On Monday Golunski said that he had notified the project that both he and Cavallarin’s disclosures have gone live but hadn’t received a response back yet.
This article was updated throughout on April 28 to include news on squirrelmail-20170427_0200-SVN.stable and the patch.