Bugtraq mailing list archives
Re: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041)
From: Sebastian Krahmer <krahmer () suse de>
Date: Mon, 11 Nov 2002 11:45:13 +0100 (CET)
On Fri, 8 Nov 2002, Florian Weimer wrote: Hi,
Sebastian Krahmer <krahmer () suse de> writes:The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.The well-known case of command execution through mail bodies processed by mailx (~! SHELL-COMMAND) only affects certain mailx versions. Some vendors (including SuSE and Red Hat) base their packages on mailx-8.1.1 (probably a snapshot from the OpenBSD CVS from summer 1997 or something like this), which behaves as documented in the manpage (no escape character processing unless stdin is a terminal), and are not affected.
This is only true when -I switch is not given. Unfortunally Mail::Mailer adds -I to the commandline. So it does not need fd 0 to be a tty.
The following change in OpenBSD (re)introduced the problem: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.19&r2=1.20&f=u And this change corrects it again: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24 Only very few vendors based their package on one of the version between 1.20 and 1.23 (including). Debian once used one of the affected versions, but Debian GNU/Linux 3.0 (woody) includes the 1.24 version and is safe. However, it's still a good idea to ditch /bin/mail, as provided by mailx: $ mail "| echo nice feature@localhost" < /dev/null No message, no subject; hope that's ok nice feature...@localhost $
Yes, this has been the second reason. I can point you to the full analyzation of the problems and exploit-mails which may trigger arbitrary code execution if you want. BTW, the maintainer of Mail::Mailer told me that using Mail::Mailer is depricated anyways, one should rather use Mail::Box and its friends, where recent mailx problem could also hit you and has been fixed too. The manpage will point out clearly that 'mail' is not the right type to send mail. regards, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team ~
Current thread:
- SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) Sebastian Krahmer (Nov 05)
- <Possible follow-ups>
- Re: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) Sebastian Krahmer (Nov 11)