Squirrelmail 远程代码执行漏洞(CVE-2017-7692)
发布日期:2017-04-20
更新日期:2017-04-20
受影响系统:
描述:
CVE(CAN) ID: CVE-2017-7692
SquirrelMail是以PHP编写的基于标准的webmail包。
Squirrelmail <= 1.4.22由于在传递一个字符串给popen调用之前,没有对其进行过滤和无害化处理。因此攻击者有可能利用此漏洞在远程服务器上越权执行任意代码。该漏洞存在于initStream函数Deliver_SendMail.class.php中,它会使用escapeshellcmd()来过滤和无害化发送邮件的命令。然而escapeshellcmd()并没有对空格字符进行转义,因此会触发任意指令参数的注入。
<*来源:vendor
*>
建议:
临时解决方法:
目前Squirrelmail 官方还没有发布相关修复补丁,NSFOCUS建议您采取以下措施以降低威胁:
用户可以使用该漏洞发现者提供的临时补丁来修复,具体修复代码如下:
BOF
diff -ruN squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php
squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php
--- squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php 2011-01-06 02:44:03.000000000 +0000
+++ squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php 2017-04-18
11:42:26.505181944 +0000
@@ -93,9 +93,9 @@
$envelopefrom = trim($from->mailbox.'@'.$from->host);
$envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
// save executed command for future reference
- $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
+ $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") .
escapeshellarg($envelopefrom);
// open process handle for writing
- $stream = popen(escapeshellcmd($this->sendmail_command), "w");
+ $stream = popen($this->sendmail_command, "w");
return $stream;
}
EOF
厂商补丁:
SquirrelMail
------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
参考:
https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html