[Devel] checkhack-zimbra-preferences shell escape issues

Barry De Graaff barrydg at zetalliance.org
Tue Jun 7 06:49:10 CEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello All,

I looked into checkhack-zimbra-preferences, it seems like writing it took a lot of time, and
it is a great effort.

However, I was able to crash the script by adding a plain-text signature for a user (see attached).
The script would then try to create arbitrary files on the server file system. That does suggest
shell escaping is not being done properly by this script.

[root at myzimbra ~]#  /usr/local/sbin/checkhack-zimbra-preferences.sh
/tmp/zimbra-preferences-scores/2016-06-06/admin
/tmp/zimbra-preferences-scores/2016-06-06/if
/tmp/zimbra-preferences-scores/2016-06-06/zimbrapreffromaddress
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefidentityname
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)
if
/usr/local/sbin/checkhack-zimbra-preferences.sh[420]: /tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)
if: cannot create [File name too long]
/tmp/zimbra-preferences-scores/2016-06-06/zimbrasignaturename


[root at myzimbra ~]# ls --full-time /tmp/zimbra-preferences-scores/2016-06-06/
total 20
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.137399697 +0200 admin
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.145399735 +0200 if
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.152399768 +0200 zimbrapreffromaddress
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.162399815 +0200 zimbraprefidentityname
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.172399863 +0200 zimbrasignaturename


Means, it tried to create a file with name:
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)
if

This is potentially unsafe, I would require me to rewrite the script to make sure it escapes
all user input. Considering this is a script to prevent hackers and spammer from abusing
services, I do not think I can use it, as is.

See: https://github.com/Zimbra-Community/zimbra-tools/blob/master/checkhack-zimbra-preferences

Kind regards,

Barry de Graaff
Zeta Alliance Founder
www.zetalliance.org

Skype: barrydegraaff.tk
Fingerprint: 9e0e165f06b365ee1e47683e20f37303c20703f8
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v2.3.0
Comment: http://openpgpjs.org

wsFcBAEBCAAQBQJXVlI7CRAg83MDwgcD+AAA3sYP/39cS834bckQ6FPHnqeW
edqoURVfuVHqH4TbMIOTg0hkiBp1bKBvv30XF9ObxBUsK8+MhAuj0EeTMeYN
RGuHC3hRX7e9F1miogAVGEHjkfUws3JqZB9FuPquOtCEPsbgMaRlrHeSD62K
9JynIoOG65jdM7FEpJpnjB/iOAfClAxcx1LIT8JkeHiDGVC6BnDeQINnLR0G
O7P+xyoYoCmJdJPNtFkaZiEhUBmd/TAM+Q39ImVXQmvpK7gpYpMgLJ+iCnVj
GvsKi67ntKN4dETFdldZ0mIWp6To/iORZ7Cnz0Lw3fngDJHXPyzctJV2djtf
ET1YeobvM95yniS3qKdT+sbmZs4jfZA75mOuTJXDP1nYEnO01Dchw+HE2UQN
LiK0bKkFXpCf+lPRfAqff6RW5MWwgEsG16Sy5xNk9pRhNw5FWrw9vknvQmpA
4feH2fcrq7Y8ePIDcsmDN31vYrNl2xMF3Qf0294V4EMdUWCSsbIQlHnFvzQL
hcpBNh1rTwsBi38qBgChYIi75B7VLnWm90tnpvaVJBNydHykHZOXxYzlz4+O
VY8nCX5+H8VPHNdrCLnFjov+g6tMhIk/gDNMyNjaXqn8Yp9WpdXI2nfjakUv
9NvW1Kw96geE07yuK0wCmsib6xf+zcN3ZZTwGiYo1L1/obg0LslrxY9MELF9
kuKP
=yYN+
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: injectfile.txt.tar.gz
Type: application/x-compressed-tar
Size: 1000 bytes
Desc: not available
URL: <http://lists.zetalliance.org/pipermail/devel_lists.zetalliance.org/attachments/20160607/39706c00/attachment.bin>


More information about the Devel mailing list