Slashdot Mirror

← Back to Stories (view on slashdot.org)

SquirrelMail Repository Poisoned

Posted by kdawson on from the nuts-to-that dept.

SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

35 of 182 comments (clear)

  1. When a member of the team arrived for work by Anonymous Coward · · Score: 4, Funny

    This was the first sign of trouble: http://i23.tinypic.com/2ezqkht.jpg

  2. SquirrelMail team's first response after discovery by Anonymous Coward · · Score: 5, Funny

    ...of the breech: "Aw Nuts!"

  3. SquirrelMail is poisoned, so... by batquux · · Score: 2, Funny

    Horde FTW!

  4. You know... by mdm-adph · · Score: 4, Interesting

    ...I've never made sure to always check my MD5 signatures, but I damn sure am now.

    --
    It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
    1. Re:You know... by KiloByte · · Score: 5, Insightful

      What's the point? If you download the signatures from the same website as the packages, you won't catch any but most lazy/inept attackers. The ones here were that stupid, but come on, this trick works only once.

      In fact, if an attacker can tamper with the website on any point (including a router/proxy on the way), they can change the md5 whenever they change any other communication if they only care enough. For any resilience, you'd need public key cryptography; but even then you will be only as safe as the least safe private key.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:You know... by araemo · · Score: 2, Interesting

      ...I've never made sure to always check my MD5 signatures, but I damn sure am now. Unfortunately, the next guy will just edit the .md5 files to contain the correct signature.

      (For those who don't get it: MD5 only caught it because the 'hacker' didn't think to check for MD5 signatures. They're trivial to regenerate after you change the file.)

      GPG signing is more secure, but if the secret key is compromised, they can be faked as well. That said, there are at least revocation procedures that can catch it even if you don't read the news.
    3. Re:You know... by Nasarius · · Score: 2, Interesting
      Exactly! I don't understand why GnuPG signatures aren't in common use in the open-source world. Gentoo and other distros use them to sign packages, but if there's a weak link upstream, that's no good. It requires some extra infrastructure (a central key server for well-established developers/release engineers would be nice), but once you had that set up, verifying any package would be automatic.

      GPG signing is more secure, but if the secret key is compromised, they can be faked as well.
      And that's relatively unlikely, since an attacker would need both the key and its password.
      --
      LOAD "SIG",8,1
    4. Re:You know... by D'Arque+Bishop · · Score: 5, Informative

      Unfortunately, the next guy will just edit the .md5 files to contain the correct signature.

      (For those who don't get it: MD5 only caught it because the 'hacker' didn't think to check for MD5 signatures. They're trivial to regenerate after you change the file.)

      Correction: MD5 caught it because the MD5 files are stored on the main SquirrelMail server and the packages that were altered were stored on SourceForge. The "hacker" didn't have access to the former, so he couldn't change them.

      Hope this helps...

  5. Bad design by Anonymous Coward · · Score: 5, Funny

    Whoever decided that sending mail by using squirrels as couriers through these series of tubes is just damn wrong. Even worse, who are these sick bastards poisoning squirrels?

    1. Re:Bad design by Technomonics · · Score: 5, Funny

      STP (Squirrel transport Protocol) suffers from the same inherent problems as IPOAC(IP over Avian Carrier) in that they are both very vulnerable to a a CITM (Cat In The Middle) attack. If however you were to implement STP over RHB (Roving Hamster Ball), the packet may still be intact yet there may occur an indeterminate amount of delay.

      FWIW

  6. Thank Heaven For Open Source by mpapet · · Score: 5, Insightful

    If this were to happen to a proprietary application you wouldn't get an honest answer from the vendor. The bigger the vendor the worse the response.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
    1. Re:Thank Heaven For Open Source by DigitAl56K · · Score: 3, Interesting

      Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

      I also like how you blanket-troll all vendors of proprietary applications as if none posses basic ethics.

    2. Re:Thank Heaven For Open Source by 99BottlesOfBeerInMyF · · Score: 4, Insightful

      Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

      Considering the trend for outsourcing, probably more than you'd think. A lot more yet simply ship the code off to India or Latvia or somewhere, get it back, perform no real reviews of the code, and ship it out.

      I also like how you blanket-troll all vendors of proprietary applications as if none posses basic ethics.

      He does paint with a bit of a broad brush; but he also has a point. Commercial, closed source vendors are running a business and their primary motivation is money. Sadly, that often means hiding security breaches from users, even when that places those users at risk. OSS projects may have commercial motivations as well, but because of the process they cannot easily hide this type of problem... which is good for users.

  7. Has the compromised account been secured? by Ambiguous+Puzuma · · Score: 4, Interesting

    If the vulnerability was introduced through a compromised account, is there any assurance that that account is no longer compromised? I see no mention of that.

  8. They got lucky by sqlrob · · Score: 3, Insightful

    MD5 was on the same server. What prevented the attacker from changing that as well?

    1. Re:They got lucky by tokul · · Score: 2, Informative

      MD5 was on the same server.
      Nope. They are on different server.
    2. Re:They got lucky by broken_chaos · · Score: 4, Informative

      I don't think they are. MD5 is on the main SquirrelMail site, package is hosted on SourceForge.

  9. Re:beyond md5 by plague3106 · · Score: 3, Informative

    If you read the article, or even the summary, it was someone checking the MD5 that discovered the poisioning. So... I'd say it certainly helped.

  10. Makes me wonder by tuomoks · · Score: 2, Insightful

    Good catch but it makes me wonder how the SC/CM is managed today? Open or closed source is vulnerable for developer access. I can understand that open source projects don't always have resources to run full SC/CM systems but I don't see full control even in some closed source environments I know. It is not difficult but needs some planning and computer resources, not human resources! Almost only places I have seen that kind of system controls are some insurance, banking (less often) and governments (often a mess). It is not just security, mistakes happen, and on long run it always pays back, try to tell that to management(heh!) Maybe I'm biased but after a couple of mishaps a long time ago we implemented a SC/CM system to protect against unverified and/or untested systems going to production and several other companies started using similar methods after us. It really can be automated with some planning. First everybody hates it and 6 months later they love the benefits, as I said, everybody makes mistakes and one command recovery is very nice when that happens before anything goes wrong.

  11. Re:Ouch. Is RoundCube stable yet? by pembo13 · · Score: 3, Informative

    I love it, it it very nice on eyes as compared to SquirelMail. I do not use if regularly, but I trust it for whenever it is needed.

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  12. Re:beyond md5 by DarkHelmet433 · · Score: 3, Informative

    Yes. The article is vague, and the title on /. is worse - implies the source repository. It seems people have been easily mislead as a result. Always read the actual article, not a 2nd or 3rd hand summary.

    From there:

    "The code modifications did not made it into our source control, just the final package. We are currently investigating older packages to see if they were also compromised. "

  13. Re:Ouch. Is RoundCube stable yet? by mlwmohawk · · Score: 2, Informative

    Anyone been using it for a while without any problems?

    I use it on my site and install it for customers. You won't build a "hotmail" with it, and a rich user client like Thunderbird is almost always a better choice for users, but for those who need web access to their email, it is absolutely great.

  14. Don't trust squirrels! by Jester998 · · Score: 4, Funny

    I, for one, refuse to trust my mail to any creature that can be this devious.

  15. Re:Good thing UWRF techies are lazy by D'Arque+Bishop · · Score: 3, Informative

    Actually, when 1.4.11 and 1.4.12 were released, they were uncompromised. Sometime after one of the developers' accounts was hacked, and the compromised versions were uploaded.

    So, if someone (like your techies) had installed 1.4.12 within a few days of its release, chances are they would have gotten an uncompromised version. I had installed 1.4.12 a couple of hours after release, and after the compromise was found I checked and found mine was an authentic release.

  16. Weeee... by ender_01 · · Score: 2, Informative

    For anyone that doesn't get the 'andweeeeeee' tag may I refer you to http://www.threebrain.com/weeeeee.shtml/.

  17. Open vs. Closed Source Security Implications by tfskelly · · Score: 3, Insightful

    I recently wrote a paper arguing that open source is more secure than closed source because finding and fixing flaws is easier in open source. I'm not sure if this incident supports or refutes that argument. In one post at SquirrelMail's blog, they say that 1.412 is compromised. In the next post, they say that 1.411(released Sept 29) and 1.412(released Dec 5) are compromised. If the time between the first compromised release and the fix is 9 days, nice job. If the time between first compromised release and the fix is 2.5 months, I'm not too impressed. Regardless, it looks like the time between discovery of the flaw and patch is only 1 day, which is pretty outstanding. Why did it take so long to find a MD5 error when the MD5 hashs and downloads are posted right next to each other for several months? Did no one check them for that long? Is this the developer's responsibility, or the responsibility of the implementing community? What measures can be taken to prevent this kind of oversight from happening again? I'm not so worried about the compromise itself - projects will get hacked. But there are safeguards to prevent this exact hack from being too effective, and those safeguards didn't work. Why not?

    1. Re:Open vs. Closed Source Security Implications by D'Arque+Bishop · · Score: 2, Informative

      The issue is that you're working from a bit of a flawed premise. :-)

      1.4.11 and 1.4.12 were released uncompromised. In very late November, someone hacked a developer's SourceForge account and uploaded compromised versions of 1.4.11, 1.4.12, and 1.5.1. As soon as the problem was found in the stable branch, an announcement was made and the original 1.4.x versions restored. As soon as someone came onto Freenode #squirrelmail and explained the EXACT security implications of the poisoned releases, 1.4.11 and 1.4.12 were pulled from distribution entirely and 1.4.13 was released. Yesterday morning it was discovered that 1.5.1 was compromised via a different file, and that was pulled from distribution as well.

      In other words, the compromised versions were introduced well after the original release, and once the issues were discovered they were swiftly dealt with.

      Hope this helps...

  18. 1.5.1 was compromised as well... by D'Arque+Bishop · · Score: 5, Informative

    One thing that wasn't covered in the story...

    Yesterday morning it was discovered that the 1.5.1 (development) release had been compromised as well. It hadn't been discovered until then as the hacker had modified a different file in a slightly different way. If you're running a version of 1.5.1 that had been downloaded after sometime in late November, then it would be a good idea to remove it or replace it with a SVN release (which was not compromised).

    There's no official announcement yet, but 1.5.1 has been pulled from distribution and an official announcement will probably be forthcoming.

    Hope this helps...

  19. Re:Ouch. Is RoundCube stable yet? by coryking · · Score: 4, Informative

    Why is this modded as a troll?

    Roundcube has great potential, but it isn't nearly as mature as SM. It does seem to be getting better though. The big problem I have with Roundcube is it doesn't have plugins. No plugins = no Sieve filters (avelsieve), which is a big deal to me. No plugins = no other cool things that Squirrelmail has like importing and exporting address books from all kinds of crazy places, no admin plugins, etc...

    Someday though. It has always looked and functioned way nicer than squirrelmail, it just needs more backend sysadmin goodness.

  20. Re:Ouch. Is RoundCube stable yet? by RemyBR · · Score: 2, Informative

    I'm using it for some weeks now... small user base though, about 25 people. Runs fine after I did some small fixes on the identity management and auto user creation features, which had minor bugs on the release I got. But overal it's a great piece of software.

    --
    Cosplayers.net - The Cosplayers Network
  21. "andweeee. . ." Tag by aquatone282 · · Score: 2, Funny

    Slashdot tags are now officially funnier than the posts themselves.

    --
    What?
  22. Re:beyond md5 by el+americano · · Score: 2, Informative

    With a Hollywood movie hacker, you mean. It is theoretically possible for this to be done, but researchers have not accomplished it yet. Just last month someone came close, but it required altering the original program to match the new MD5 collision value: Software Integrity Checksum Vulnerability

    But I'm sure it would be no problem for your über-hacker or for Chuck Norris.

    --
    Those are my principles. If you don't like them I have others. -Groucho Marx
  23. Alternative webmail? by Tweekster · · Score: 2, Interesting

    Seriously, the state of webmail is pretty sad. Is there any promising projects for a MODERN webmail system out there? (Not a full collab package, or a heavy HEAVY ajax system)

    OSS or closed source, it doesnt matter to me, just anything that is good. Squirrelmail is what I use right now, and well its ugly and it doesnt seem like they ever plan on making it look like a modern webmail client should.

    --
    The phrase "more better" is acceptable English. suck it grammar Nazis
  24. It's always some by tkid · · Score: 2, Funny

    developer that somehow allows some crackers into the system or network.. no pun intended. My present employer now, we had a developers machine get compromised, it was sweet walking over to his machine and unplugging his network cable while he was working, along with the phrase, "we'll let you know when you can plug it back in after we wipe your machine."

  25. Re:Ouch. Is RoundCube stable yet? by tux0r · · Score: 2, Informative

    I thought of RoundCube the instant I saw this article.

    I've just installed Round Cube 0.1-RC2 on my webserver to get reliable access to my non-work email. Apart from the dubious 0.1 version number (way to instil confidence in the end users: call an otherwise stable first release 1.0!) it is significantly more reliable than beta1 and even more crisply polished than before.

    SquirrelMail and Horde are mature, yes, but they seem to bloat. I just want a lightweight, well-designed web access system so I don't have to use mail2web.com. Keep up the good work RoundCube!

    --
    ( Redundancy is ) ^ n