Bugtraq mailing list archives

Re: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041)

From: Sebastian Krahmer <krahmer () suse de>
Date: Mon, 11 Nov 2002 11:45:13 +0100 (CET)

On Fri, 8 Nov 2002, Florian Weimer wrote:

Hi,

Sebastian Krahmer <krahmer () suse de> writes:

    The SuSE Security Team reviewed critical Perl modules, including
    the Mail::Mailer package. This package contains a security hole
    which allows remote attackers to execute arbitrary commands in
    certain circumstances.  This is due to the usage of mailx as
    default mailer which allows commands to be embedded in the mail
    body.


The well-known case of command execution through mail bodies processed
by mailx (~! SHELL-COMMAND) only affects certain mailx versions.  Some
vendors (including SuSE and Red Hat) base their packages on
mailx-8.1.1 (probably a snapshot from the OpenBSD CVS from summer 1997
or something like this), which behaves as documented in the manpage
(no escape character processing unless stdin is a terminal), and are
not affected.

This is only true when -I switch is not given. Unfortunally Mail::Mailer
adds -I to the commandline. So it does not need fd 0 to be a tty.


The following change in OpenBSD (re)introduced the problem:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.19&r2=1.20&f=u

And this change corrects it again:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24

Only very few vendors based their package on one of the version
between 1.20 and 1.23 (including).  Debian once used one of the
affected versions, but Debian GNU/Linux 3.0 (woody) includes the 1.24
version and is safe.

However, it's still a good idea to ditch /bin/mail, as provided by
mailx:

   $ mail "| echo nice feature@localhost" < /dev/null
   No message, no subject; hope that's ok
   nice feature...@localhost
   $

Yes, this has been the second reason. I can point you to the full
analyzation
of the problems and exploit-mails which may trigger arbitrary
code execution if you want.

BTW, the maintainer of Mail::Mailer told me that using Mail::Mailer
is depricated anyways, one should rather use Mail::Box and its friends,
where recent mailx problem could also hit you and has been fixed too.
The manpage will point out clearly that 'mail' is not the right type
to send mail.

regards,
Sebastian

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~

Current thread:

SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) Sebastian Krahmer (Nov 05)
- <Possible follow-ups>
- Re: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) Sebastian Krahmer (Nov 11)