SecurityReason - Horde Webmail file inclusion proof of concept & patch.

Advisory Text :

Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept &
patch.

A severe security vulnerability affects any unix distribution running
version 3.1.6 of the Horde webmail client included in most popular
webhosting control panels. All previous versions are also affected and
it is believed although not yet proven that Horde Groupware is also
vulnerable.

Details are as follows:

David Collins and Patrick Pelanne along with the rest of the
HostGator.com LLC support team discovered that Horde was not properly
sanitizing POST variables for several options including it's themes. By
maliciously modifying POST data sent to the client the attacker can
modify the location of the theme variable and Horde will subsequently
insert this information into it's database. By modifying this POST
variable one can allow for directory traversal and file inclusion which
can lead to full root privilege escalation.

Proof of concept:

Data injected through malicious tampering of POST data:

mysql> select * from horde_prefs where pref_uid='bbarker (at) hostgator
(dot) com [email concealed]' and pref_name='theme';

+-------------------------+------------+-----------+--------------------

------------------------------------------------------------------------

--------------------------------+

| pref_uid | pref_scope | pref_name | pref_value

|

+-------------------------+------------+-----------+--------------------

------------------------------------------------------------------------

--------------------------------+

| bbarker (at) hostgator (dot) com [email concealed] | horde |
theme |
../../../../../../../../../../../../../../../../../../tmp/.horde/imp/att

achments/bbarker (at) hostgator (dot) com [email
concealed]/1204804402/t.txt |

Shown above, the malicious POST variable was inserted into the database
and now points to the malicious code denoted by t.txt

A truncated strace shows the access and execution of the malicious code
when the user enters the Horde webmail client:

31852 lstat64("/usr", {st_dev=makedev(3, 3), st_ino=2,
st_mode=S_IFDIR|0755, st_nlink=18, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=16, st_size=4096, s$

31852 lstat64("/usr/local", {st_dev=makedev(3, 3), st_ino=608001,
st_mode=S_IFDIR|0755, st_nlink=26, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=16, st_s$

31852 lstat64("/usr/local/cpanel", {st_dev=makedev(3, 3), st_ino=18539,
st_mode=S_IFDIR|0711, st_nlink=37, st_uid=0, st_gid=10, st_blksize=4096,
st_blocks=8$

31852 lstat64("/usr/local/cpanel/base", {st_dev=makedev(3, 3),
st_ino=85078, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=0, st_gid=0,
st_blksize=4096, st_bloc$

31852 lstat64("/usr/local/cpanel/base/horde", {st_dev=makedev(3, 3),
st_ino=85388, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=32002,
st_gid=32004, st_blksize$

31852 lstat64("/usr/local/cpanel/base/horde/config", {st_dev=makedev(3,
3), st_ino=115868, st_mode=S_IFDIR|0755, st_nlink=2, st_uid=32002,
st_gid=32004, st_$

31852 lstat64("/usr/local/cpanel/base/horde/themes", {st_dev=makedev(3,
3), st_ino=86796, st_mode=S_IFDIR|0755, st_nlink=28, st_uid=32002,
st_gid=32004, st_$

31852 lstat64("/tmp", {st_dev=makedev(7, 1), st_ino=2,
st_mode=S_IFDIR|S_ISVTX|0777, st_nlink=9, st_uid=0, st_gid=0,
st_blksize=4096, st_blocks=64, st_size=$

31852 lstat64("/tmp/.horde", {st_dev=makedev(7, 1), st_ino=38609,
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004,
st_blksize=4096, st_blocks=2$

31852 lstat64("/tmp/.horde/imp", {st_dev=makedev(7, 1), st_ino=38610,
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004,
st_blksize=4096, st_bloc$

31852 lstat64("/tmp/.horde/imp/attachments", {st_dev=makedev(7, 1),
st_ino=38611, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002,
st_gid=32004, st_blksize=4$

31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot)
com [email concealed]", {st_dev=makedev(7, 1), st_ino=38612,
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st$

31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot)
com [email concealed]/1204804402", {st_dev=makedev(7, 1), st_ino=38613,
st_mode=S_IFDIR|0700, st_nlink=2, st_ui$

31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot)
com [email concealed]/1204804402/t.
txt", {st_dev=makedev(7, 1), st_ino=38614, st_mode=S_IFREG|0600,
st_nlink=1,$

31852 open("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot) com
[email concealed]/1204804402/t.txt
", O_RDONLY) = 4

We have also included a patch below for this vulnerability tested on
Horde v2.105.4.8 2006/07/29 16:49:19

--- horde/lib/Horde/Prefs.php 2008-03-06 21:14:38.000000000 -0600

+++ horde/lib/Horde/Prefs.patched 2008-03-06 20:10:56.000000000
-0600

@@ -325,12 +325,23 @@

}

return (isset($this->_prefs[$pref]['v'])) ?

- ($convert ?

+ $this->_fixhole($pref,$convert ?

$this->convertFromDriver($this->_prefs[$pref]['v'], $charset) :

$this->_prefs[$pref]['v']) :

null;

}

+function _fixhole($pref,$value) {

+ $sanitize = '/^[a-z0-9._-]+$/i';

+ if (preg_match($sanitize, $value) && $pref == 'theme') {

+ return $value;

+ } elseif ($pref == 'theme') {

+ return "mozilla";

+ } else {

+ return $value;

+ }

+}

+

function __get($name)

{

return $this->getValue($name);

-- Begin Signature --

HostGator.com is looking for qualified systems administrators. Please
send an e-mail to jobs (at) hostgator (dot) com [email concealed] with
your resume!