Slashdot Mirror
SquirrelMail Repository Poisoned
SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."
This was the first sign of trouble: http://i23.tinypic.com/2ezqkht.jpg
All it did was fetch a bunch of nuts... porn, spam, etc.
Wait, no really, seriously, it was supposed to be funny, but a System -2875A error prevented a proper punchline from being generated.
...of the breech: "Aw Nuts!"
Horde FTW!
People that play MyMiniCity are gay and lame. They smell funny, too.
...I've never made sure to always check my MD5 signatures, but I damn sure am now.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
Anyone been using it for a while without any problems?
I've not evaluated it recently. Horde is a PITA to set up and this doesn't give me confidence in the SM team.
Exchange is not free software.
he's trolling to fill his city with slashtards, link to his city from myspace i tell you.
Under the influence of Post-Cyberpunk Gonzo Journalism
Whoever decided that sending mail by using squirrels as couriers through these series of tubes is just damn wrong. Even worse, who are these sick bastards poisoning squirrels?
If this were to happen to a proprietary application you wouldn't get an honest answer from the vendor. The bigger the vendor the worse the response.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
If the vulnerability was introduced through a compromised account, is there any assurance that that account is no longer compromised? I see no mention of that.
MD5 was on the same server. What prevented the attacker from changing that as well?
If you read the article, or even the summary, it was someone checking the MD5 that discovered the poisioning. So... I'd say it certainly helped.
Male Suppository Poisoned."....
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Dam! Maybe next time I'll remember to change the checksum too!
1.4.11, 1.4.12 and 1.5.1. Same attack bassed on CGI 1.1 specification implemented by PHP.
He has a proclivity for poisoning pigeons...maybe he's branched out to squirrels.
http://www.horde.org/
Good catch but it makes me wonder how the SC/CM is managed today? Open or closed source is vulnerable for developer access. I can understand that open source projects don't always have resources to run full SC/CM systems but I don't see full control even in some closed source environments I know. It is not difficult but needs some planning and computer resources, not human resources! Almost only places I have seen that kind of system controls are some insurance, banking (less often) and governments (often a mess). It is not just security, mistakes happen, and on long run it always pays back, try to tell that to management(heh!) Maybe I'm biased but after a couple of mishaps a long time ago we implemented a SC/CM system to protect against unverified and/or untested systems going to production and several other companies started using similar methods after us. It really can be automated with some planning. First everybody hates it and 6 months later they love the benefits, as I said, everybody makes mistakes and one command recovery is very nice when that happens before anything goes wrong.
I love it, it it very nice on eyes as compared to SquirelMail. I do not use if regularly, but I trust it for whenever it is needed.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
I remember this happening to Linux a long long time ago. Maybe 4 or 5 years ago, but the discrepancy was found before the kernel was ever released, and it was fixed. Does anyone remember this story or have links to it? Any follow-up stories?
Yes. The article is vague, and the title on /. is worse - implies the source repository. It seems people have been easily mislead as a result. Always read the actual article, not a 2nd or 3rd hand summary.
From there:
"The code modifications did not made it into our source control, just the final package. We are currently investigating older packages to see if they were also compromised. "
Anyone been using it for a while without any problems?
I use it on my site and install it for customers. You won't build a "hotmail" with it, and a rich user client like Thunderbird is almost always a better choice for users, but for those who need web access to their email, it is absolutely great.
I, for one, refuse to trust my mail to any creature that can be this devious.
Wisconsin River Falls uses Squirrel Mail for its students. But, we're still on version 1.4.9a, if the IT guys had done their job in updating the software, I'd be pissed.
You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
No, and it's not a productivity tool either - quite the opposite.
In summary: whooooosh!
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
Next time we have a piece of software (haha - a pos - piece of software) with a vulnerability in it we can always claim a "maintainer" had their account "hacked" and some code changed to introduce the vulnerability. We'll trumpet on about better authentication schemes, yada yada and then in a few months, mysteriously it will happen again. Nobody will ever call them on their code being the problem in the first place - nope, had to be that person who "hacked" the account...
My squirrelmail seems to be working just f$#$^$%^$*@((((((#@34..........NO CARRIER
/* oops I accidentally made a comment, sorry */
I have been a squirrel mail user for some time, and I use it on my site as well as sites I set up. My current 9-5 job uses outlook, what a disaster!! Outlook Web Mail just sucks.
With a sophisticated enough hacker, md5 checksums won't matter much. md5 has been broken. Use sha1.
Are you talking about the rather pathetic and obvious attempt to insert a patch into the kernel with uid=0 rather than uid==0 (assignment, rather than comparison)? I don't think that ever got past the "doh? how stupid do you think we are?" stage and I can't even remember if it was the kernel or something like just a patch for a module posted to the LKML or something.
Poisoned distributions? Nasty indeed. Anyone got any idea how it happened? I'd imagine that targeting a specific developer just when he's doing a release, and being able to make a change to that release that causes a hole to be opened up, is quite challenging. Doing it twice is very nasty indeed; someone worked hard at this.
Actually, I think I know one way of doing this that doesn't require the distribution builder's machine to be compromised and which also means that matching even simple signatures like an MD5 hash is very hard. If it's that, SourceForge has a very serious problem...
"Little does he know, but there is no 'I' in 'Idiot'!"
Actually it was a rather odd macro someone inserted that looked benign but would have introduced some kind of a backdoor.
Debian uses GPG to sign packages as well. I don't know about RedHat's RPM system, although I assume it must use some sort of cryptographic validation on binary packages; it's just too much of a weak link to ignore completely.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
For anyone that doesn't get the 'andweeeeeee' tag may I refer you to http://www.threebrain.com/weeeeee.shtml/.
and this doesn't give me confidence in the SM team
Then you should probably stay away from Debian, Sendmail, Apache, or...well, hell, just stay away from Open Source, period, if a server/distro compromise is the measuring stick you use to measure "confidence."
We're a midwestern university & use a slightly older version of Squirrelmail as our webmail interface. Just an hour ago some of our users got this phish:
"Confirm Your Email Address!
Dear <domain.edu> Subscriber,
To complete and verify your <domain.edu> account, you must reply to this email immediately and enter your password here (*********)
Failure to do this will immediately render your email address deactivated from our database.
You can also confirm your email address by logging into your <domain.edu> account at <correct URL>
Thank you for using DOMAIN. EDU!
<UNIVERSITY NAME> UNIVERSITY WEBMAIL TEAM
"
Our version of Squirrelmail is too old to have been one of the compromised ones, and it might not be related, but the timing is mighty suspicious. The reply-to address on this is wi_hamilton (at) yahoo (dot) gr and purports to be from <UNIVERSITY NAME> UNIVERSITY WEBMAIL TEAM <support@domain.edu>, subject "Confirm Your Email Address!", X-Mailer MIME-tools 5.420 (Entity 5.420).
Hail Eris, full of mischief...
E pluribus sanguinem
You are of course right, it is Change NOT Configuration management in this case. My bad.
I recently wrote a paper arguing that open source is more secure than closed source because finding and fixing flaws is easier in open source. I'm not sure if this incident supports or refutes that argument. In one post at SquirrelMail's blog, they say that 1.412 is compromised. In the next post, they say that 1.411(released Sept 29) and 1.412(released Dec 5) are compromised. If the time between the first compromised release and the fix is 9 days, nice job. If the time between first compromised release and the fix is 2.5 months, I'm not too impressed. Regardless, it looks like the time between discovery of the flaw and patch is only 1 day, which is pretty outstanding. Why did it take so long to find a MD5 error when the MD5 hashs and downloads are posted right next to each other for several months? Did no one check them for that long? Is this the developer's responsibility, or the responsibility of the implementing community? What measures can be taken to prevent this kind of oversight from happening again? I'm not so worried about the compromise itself - projects will get hacked. But there are safeguards to prevent this exact hack from being too effective, and those safeguards didn't work. Why not?
How's it work with PDAs? Squirrelmail sucks balls on a PDA-sized screen.
Hail Eris, full of mischief...
E pluribus sanguinem
Just by chance (of course) I posted a comment about this happening more and more... just yesterday!
The timing makes me look bad...
That's aninteresting distinction which may or may not need to be made.
/source code|configuration) management/ vs. /source code change management/
I've seen "Change Management" and "Configuration Management" used interchangeably as "CM" in "SC/CM" quite a bit. I think it makes sense, because versioning of config files in some environments can be as useful as versioning of source code.
I support the interchangeable use based on the grounds that depending on your perspective there's not much difference and that people generally understand the system can be used either way anyway.
It also explains, I think, why I've seen it as "SC/CM", "SC-CM", and "SCCM". I usually use the "VCS" generic or even the "CVS" specifically when talking about an unknown or hypothetical versioning system. For clarity, I try to say, "RCS", "CVS", "SCCS", "Perforce", "git", or "Subversion" specifically when discussing a specific project's repoistory. Yes, I realize that conflicts with sometimes using "CVS" in place of the generic "VCS" or "SCCM". I think it's engrained in me that way because CVS is named for what it is -- a concurrent versioning system.
Noone seems offended if you say, "I'll grab it from CVS and take a look" and they say, "Well, it's actually Subversion." In fact they normally don't, IME, make the distinction unless the repository address isn't published. They just take the point that you're going to go locate the repository and grab a copy of the code. If they think you can locate and access the repository on your own, people normally don't care that you know beforehand which of the more recent solutions is being used. Of course, they might be offended if you seem to assume they're using SCCS, but that's another matter entirely.
As anything in the field, though, some people will paint the shed at the expense of stalling or killing the project itself. Those are the people who should be tasked with making a project logo or menu buttons, because those are the places most OS projects need people to be more picky anyway. Which VCS to use is usually a faily minor thing as long as people actually use it.
One thing that wasn't covered in the story...
Yesterday morning it was discovered that the 1.5.1 (development) release had been compromised as well. It hadn't been discovered until then as the hacker had modified a different file in a slightly different way. If you're running a version of 1.5.1 that had been downloaded after sometime in late November, then it would be a good idea to remove it or replace it with a SVN release (which was not compromised).
There's no official announcement yet, but 1.5.1 has been pulled from distribution and an official announcement will probably be forthcoming.
Hope this helps...
Why is this modded as a troll?
Roundcube has great potential, but it isn't nearly as mature as SM. It does seem to be getting better though. The big problem I have with Roundcube is it doesn't have plugins. No plugins = no Sieve filters (avelsieve), which is a big deal to me. No plugins = no other cool things that Squirrelmail has like importing and exporting address books from all kinds of crazy places, no admin plugins, etc...
Someday though. It has always looked and functioned way nicer than squirrelmail, it just needs more backend sysadmin goodness.
Surely there's a better way to keep them off the bird feeder than poisoning them. And why just the males?
Intron: the portion of DNA which expresses nothing useful.
I'm using it for some weeks now... small user base though, about 25 people. Runs fine after I did some small fixes on the identity management and auto user creation features, which had minor bugs on the release I got. But overal it's a great piece of software.
Cosplayers.net - The Cosplayers Network
How about any open source imap client for that matter?
There used to be some IMAP to WAP client based on PHP, but it had all kinds of crazy problems like you had to hardcode your login to the config file. It also was read only - you couldn't send mail from the phone.
Is there anything new on the market for mobile users?
This is probably offtopic but I've been using Squirrelmail on my website for years. I like it but it's FUGLY. I've waited those years to see if they planned on maybe getting rid of the frames or adding real CSS in version 2 but I don't see any of that on the horizon. Updates and patches help fix bugs from internal and external sources but don't add much to the experience. I've written plugins and modified the source but those need to be updated/changed on every upgrade. Can SquirrelMail be made to be non-FUGLY?
I've tried Horde (PITA as mentioned above) and Roundcube is nice but it's been in beta v0.1-rc2 for 2 years and is missing many features found in Squirrelmail. Can anyone point me to a free/open source webmail app alternative to SquirrelMail that's not FUGLY?
Isn't creating MD5 collisions (making your changed file match the original MD5 value) something that can be done on a PC nowadays with stuff like this: http://www.securiteam.com/tools/6O00E1FEKO.html
While this is undoubtedly unfortunate, how much damage was really done? The majority of people use public-key (encrypted checksum) checks to confirm the identity of packages they download, so this would have been easily caught by most. It does further underscore the importance of such identity checks, however, malicious replacement being one of the weaknesses of online software repositories.
Fear the penguin.
Better yet, use The Shat to protect your data
"Algebraical symbols are used when you don't know what you are talking about" - BCS
Slashdot tags are now officially funnier than the posts themselves.
What?
hehe, i checked out of curiousity since none of us really use the web access.
Our cheesy email provider is on 1.4.9a.
Horde is the other choice and a newer version than when i last tried to use the web interface, looks confusing for any of our users now.
How would one set up their own email server with something like this? Would i want to since this only cost $150/year? Just use outlook that will come with the small biusiness server next year?
With a Hollywood movie hacker, you mean. It is theoretically possible for this to be done, but researchers have not accomplished it yet. Just last month someone came close, but it required altering the original program to match the new MD5 collision value: Software Integrity Checksum Vulnerability
But I'm sure it would be no problem for your über-hacker or for Chuck Norris.
Those are my principles. If you don't like them I have others. -Groucho Marx
need to get glasses...
The hacker was stupid enough to not update the MD5 signature of the modified archive. If he had, everybody will continue to use the modified version, even after checking its MD5 sum ... which ensure INTEGRITY, and not AUTHENTICITY. The Squirrel team MUST learn from this story that to ensure authenticity, THEY MUST SIGN THEIR ARCHIVE WITH GPG.
Each software developer which does not sign its software with GPG (or kind of) expose his users to the consequences of such a compromission and should be labeled as a LAZY developer.
Unfortunately the Horde doesn't require intervention at in the code repo to be compromised. One of my clients has a Horde:IMP install has been compromised three different times this year with three different versions.
A friend of mine was working with md5 sums for a uni research project which led to many geeky get togethers in the refec with lots of other nerds just mulling over the limitations of md5 sums and how to take advantage of them in this project. Having a think about it if you were to use the limitations for bad ends it should be rather easy. For example you can easily change the contents of source code (assuming it's in a tar with the tars md5 sum) to what you want and just pad it out with extra rubbish content until you hit the same md5sum again. Of course you'd need to generate the rubbish and the file size would blatantly be different. Md5 and any sort of tag has the simple limitation that there aren't enough bits to represent the data, not by a long shot, so it repeats more often as the size gets bigger.
I ate your fish.
Seriously, the state of webmail is pretty sad. Is there any promising projects for a MODERN webmail system out there? (Not a full collab package, or a heavy HEAVY ajax system)
OSS or closed source, it doesnt matter to me, just anything that is good. Squirrelmail is what I use right now, and well its ugly and it doesnt seem like they ever plan on making it look like a modern webmail client should.
The phrase "more better" is acceptable English. suck it grammar Nazis
and just pad it out with extra rubbish content until you hit the same md5sum again.
You seem to be a little unclear on the concept. Were those DnD nerds or computer nerds? All hashes repeat, but the time required to calculate by brute force a fraction of the 2^128 different padded files until you might hit the one you want is designed to be years with the current technology and what we are expected to have in 10 years. MD5 is broken because there are shortcuts to make this calculation easier. However, the post I responded to had a misconception about the current state of the MD5 vulnerability.
The strange thing about your post is that a whole group of people would mull this over without admitting they didn't even know how MD5 works. I think you need a better group of nerds.
Those are my principles. If you don't like them I have others. -Groucho Marx
developer that somehow allows some crackers into the system or network.. no pun intended. My present employer now, we had a developers machine get compromised, it was sweet walking over to his machine and unplugging his network cable while he was working, along with the phrase, "we'll let you know when you can plug it back in after we wipe your machine."
http://www.luke.ehresman.org/
Mike Huckabee is a shoe-in for L. Ehresman. Biblically-based, scripture-solid laws are the way to go. Weak Families make weak nations (versus an inventory of thermonuclear weapons).
It's too bad that he didn't pick the Real True Spaghedeity....
I don't know any DnD nerds and luckily no one as condescending as you.
The project we were talking about was doing the opposite to what I suggested. To do what we wanted would take a large cluster only days to complete so I assumed that in the other direction would be similar (not the same, similar, since you are in to semantics), I really should have thought about it further and realised it was a power. Lucky I don't have to work with you or help you on a project, one minor mistake and it's out in the gutter.
I ate your fish.
Citadel, with the Blue Citadel theme, isn't bad.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I thought of RoundCube the instant I saw this article.
I've just installed Round Cube 0.1-RC2 on my webserver to get reliable access to my non-work email. Apart from the dubious 0.1 version number (way to instil confidence in the end users: call an otherwise stable first release 1.0!) it is significantly more reliable than beta1 and even more crisply polished than before.
SquirrelMail and Horde are mature, yes, but they seem to bloat. I just want a lightweight, well-designed web access system so I don't have to use mail2web.com. Keep up the good work RoundCube!
( Redundancy is ) ^ n
Even the Ubuntu community doesn't seem to be concerned about a MD5 discrepancy. The CD-ROM image for the newest Kubuntu, found at http://torrent.ubuntu.com6969/ shows that the MD5 hash is:
6709ff39ea47d3563b537b67153f60ee0c932a93
When I downloaded the ISO through BitTorrent, though, I found this instead:
kwtm@host ~/isocd$ md5sum kubuntu-7.10-desktop-i386.iso
ae9b209fe4b9caf545fa2011631de797 kubuntu-7.10-desktop-i386.iso
I mean, this is coming through BitTorrent, so other than myself, there must be thousands of other people downloading this identical supposedly error-corrected ISO. Why is there a discrepancy? Either someone has poisoned the entire Kubuntu ISO distribution and nobody cares, or someone has compromised the Ubuntu server to display the wrong MD5 sum, and nobody cares. When I Googled for the variant MD5 hash that I calculated, nothing came up. (Later, I checked, and the main result was some inane forum about "Let's all paste in the contents of whatever's in our clipboard right at this exact moment!") WTF???
That is the reason I haven't installed Gutsy on my Dellbuntu laptop. No, I don't really think there is an evil Ubuntu conspiracy. No, I don't really think all the Kubuntu ISO's have been compromised. But I don't know what to think. Probably I can just ignore the problem, and it will go away. But I don't want to develop the habit of ignoring discrepancies, or one day the security hashes will be as useful as the User Access Controls of MS Vista.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Check out the Claros InTouch suite @ http://claros.org/
;)
Their stuff runs on Java with Tomcat, but is reasonably good. The mobile client is decent (Claros Mini). If you dig Tomcat, that is
Technology tips and tricks.
Um pac, kawac, schmecks. Martin, if you're out there, this is the third time you've heard this message. It is a cry for help. I know you're mentally ill, but you can see the situation more clearly than me. I cheated on my girlfriend with a cock-sucking slut. Help me. Love, Liz.
Boy, I sure am glad that at my company, they force us to use Outlook Web Access to access our e-mail from home.
Oh wait...
Does anyone else know of this happening for other packages / tarballs?
I'm surprised this doesn't happen more often.
AC.
Because admitting you are wrong just can't go without insults :-)
Maybe we should submit a domain-specific addendum to RFC 1149 for Internet Protocol over Anonymoys Cowards... could be simply an addendum to Avian Carriers as "feet on the ground" hardly applies most of the time... or maybe to RFC 2249 with "QoS" pertaining to "moderated into hell" ;-)
Wouldn't it be pretty simple for whoever compiled the release to have a known good MD5 and periodically check that what people are downloading is good? A script that runs daily from somewhere else (even on your home PC) like this maybe:
.md5 file you'd still find out pretty quick if something was amiss. Someone commented that this has been a problem since November, couldn't they have known sooner with very little effort?
Download package
Check for matching hash
If hash doesn't match, send notification email/SMS/whatever
Even if the site is compromised and the hacker (cracker!) changes the
First, there is some work being done on access to filters, either in the RoundCube client or accessing filters on the server, such as Sieve. Read the Dev list archives.
Second, RoundCube is still a young product. It also has very few core developers, so if you can, help out.
Third, much developer time is being spent on migrating to PHP 5.
Forth, the developers know a plug-in API is needed, but that is low on the priority list. If plug-ins are important to you, patches would likely be welcome against the vnext branch.
It tells you which files were altered since the previous version. a curious developer can then audit the new files. It is still a manual process, and really it wouldn't be any different than just doing a diff. except you might not want to keep the source code around for old versions to diff.
“Common sense is not so common.” — Voltaire