Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>: Bug#33099; Package pine396-src.
(full text, mbox, link).
Acknowledgement sent to "Edward John M. Brocklesby" <ejb@klamath.lilithfair.org>:
New bug report received and forwarded. Copy sent to Santiago Vila <sanvila@ctv.es>.
(full text, mbox, link).
From: "Edward John M. Brocklesby" <ejb@klamath.lilithfair.org>
To: submit@bugs.debian.org
Subject: PINE allows remote users to execute commands as the user running PINE, by sending an email
Date: Mon, 8 Feb 1999 20:12:25 +0000
Package: pine396-src
Version: 2
Severity: critical
PINE does not handle the ` character correctly.
Take a look at this email:
************************** MIME MESSAGE FOLLOWS **************************
From: Attacker <attacker@eleet.net>
To: Victim <victim@somewhere.net>
Subject: Happy birthday
...
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"
--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset='US-ASCII'
Make a wish...
--8323328-235065145-918425607=:319
Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
Content-Transfer-Encoding: BASE64
Content-Description: wish
Content-Disposition: attachment; filename="wish.c"
...it could be your last.
*************************** MIME MESSAGE ENDS ***************************
When pine sees this, it expands:
text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
'[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput
to this:
[...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
'[A-Z]' '[a-z]'`" = iso-8859-1)
This allows any command to be executed. The following patch works against PINE
4.10, it may require modification to compile against slink's version:
--- pine4.10.orig/pine/mailcap.c Wed Nov 18 13:00:15 1998
+++ pine4.10/pine/mailcap.c Mon Feb 8 09:17:46 1999
@@ -905,14 +905,18 @@
* have to put those outside of the single quotes.
* (The parm+1000 nonsense is to protect against
* malicious mail trying to overlow our buffer.)
+ *
+ * TCH - Change 2/8/1999
+ * Also quote the ` slash to prevent execution
+of arbirtrary code
*/
for(p = parm; *p && p < parm+1000; p++){
- if(*p == '\''){
+ if((*p == '\'')||(*p=='`')){
*to++ = '\''; /* closing quote */
*to++ = '\\';
- *to++ = '\''; /* below will be opening quote */
- }
- *to++ = *p;
+ *to++ = *p; /* quoted character */
+ *to++ = '\''; /* opening quote */
+ } else
+ *to++ = *p;
}
fs_give((void **) &parm);
@@ -954,7 +958,7 @@
*/
if(!used_tmp_file && tmp_file)
sprintf(to, MC_ADD_TMP, tmp_file);
-
+
return(cpystr(tmp_20k_buf));
}
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>: Bug#33099; Package pine396-src.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>.
(full text, mbox, link).
To: "Edward John M. Brocklesby" <ejb@klamath.demon.co.uk>,
33099@bugs.debian.org
Subject: Re: Bug#33099: PINE allows remote users to execute commands as the user running PINE, by sending an email
Date: Mon, 8 Feb 1999 21:51:50 +0100 (CET)
On Mon, 8 Feb 1999, Edward John M. Brocklesby wrote:
> Package: pine396-src
> Version: 2
> Severity: critical
>
> PINE does not handle the ` character correctly.
>
> Take a look at this email:
>
> ************************** MIME MESSAGE FOLLOWS **************************
> From: Attacker <attacker@eleet.net>
> To: Victim <victim@somewhere.net>
> Subject: Happy birthday
> ...
> MIME-Version: 1.0
> Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset='US-ASCII'
>
> Make a wish...
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
> Content-Transfer-Encoding: BASE64
> Content-Description: wish
> Content-Disposition: attachment; filename="wish.c"
>
> ...it could be your last.
> *************************** MIME MESSAGE ENDS ***************************
>
>
> When pine sees this, it expands:
>
> text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
> '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput
>
> to this:
>
> [...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
> '[A-Z]' '[a-z]'`" = iso-8859-1)
>
> This allows any command to be executed. The following patch works against PINE
> 4.10, it may require modification to compile against slink's version:
>
> --- pine4.10.orig/pine/mailcap.c Wed Nov 18 13:00:15 1998
> +++ pine4.10/pine/mailcap.c Mon Feb 8 09:17:46 1999
> [...]
Thanks a lot, I will apply it soon.
--
"420ad41180ba72362e14b786998990f2" (a truly random sig)
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>: Bug#33099; Package pine396-src.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>.
(full text, mbox, link).
To: "Edward John M. Brocklesby" <ejb@klamath.demon.co.uk>,
33099@bugs.debian.org
Subject: Re: Bug#33099: PINE allows remote users to execute commands as the user running PINE, by sending an email
Date: Tue, 9 Feb 1999 14:53:19 +0100 (CET)
On Mon, 8 Feb 1999, Edward John M. Brocklesby wrote:
> Package: pine396-src
> Version: 2
> Severity: critical
>
> PINE does not handle the ` character correctly.
>
> [...]
>
> This allows any command to be executed. The following patch works against PINE
> 4.10, it may require modification to compile against slink's version:
Your patch does not apply cleanly.
Do you mean something like this?
--- pine4.10/pine/mailcap.c Tue Feb 9 00:42:12 1999
+++ pine-4.10/pine/mailcap.c Tue Feb 9 00:42:19 1999
@@ -907,12 +907,13 @@
* malicious mail trying to overlow our buffer.)
*/
for(p = parm; *p && p < parm+1000; p++){
- if(*p == '\''){
+ if((*p == '\'') || (*p == '`')){
*to++ = '\''; /* closing quote */
*to++ = '\\';
- *to++ = '\''; /* below will be opening quote */
- }
- *to++ = *p;
+ *to++ = *p; /* quoted character */
+ *to++ = '\''; /* opening quote */
+ } else
+ *to++ = *p;
}
fs_give((void **) &parm);
--
"36addfb23d8e2cbabed61cc7f79702b3" (a truly random sig)
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>: Bug#33099; Package pine396-src.
(full text, mbox, link).
Acknowledgement sent to "Edward John M. Brocklesby" <ejb@klamath.demon.co.uk>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>.
(full text, mbox, link).
Ysgrifennodd sanvila@unex.es ar Tue, Feb 09, 1999 at 02:53:19PM +0100:
> On Mon, 8 Feb 1999, Edward John M. Brocklesby wrote:
>
> > Package: pine396-src
> > Version: 2
> > Severity: critical
> >
> > PINE does not handle the ` character correctly.
> >
> > [...]
> >
> > This allows any command to be executed. The following patch works against PINE
> > 4.10, it may require modification to compile against slink's version:
>
> Your patch does not apply cleanly.
>
> Do you mean something like this?
>
> --- pine4.10/pine/mailcap.c Tue Feb 9 00:42:12 1999
> +++ pine-4.10/pine/mailcap.c Tue Feb 9 00:42:19 1999
[snip]
I didn't create the patch - it was posted to bugtraq shortly after the
description of the problem. If the patch you have applies more cleanly, and
fixes the problem, then that's good.
> --
> "36addfb23d8e2cbabed61cc7f79702b3" (a truly random sig)
Diolch, Edward.
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>: Bug#33099; Package pine396-src.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>.
(full text, mbox, link).
To: "Edward John M. Brocklesby" <ejb@klamath.demon.co.uk>,
33099@bugs.debian.org
Subject: Re: Bug#33099: PINE allows remote users to execute commands as the user running PINE, by sending an email
Date: Thu, 11 Feb 1999 14:20:13 +0100 (CET)
On Mon, 8 Feb 1999, Edward John M. Brocklesby wrote:
> Package: pine396-src
> Version: 2
> Severity: critical
>
> PINE does not handle the ` character correctly.
>
> Take a look at this email:
>
> ************************** MIME MESSAGE FOLLOWS **************************
> From: Attacker <attacker@eleet.net>
> To: Victim <victim@somewhere.net>
> Subject: Happy birthday
> ...
> MIME-Version: 1.0
> Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset='US-ASCII'
>
> Make a wish...
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
> Content-Transfer-Encoding: BASE64
> Content-Description: wish
> Content-Disposition: attachment; filename="wish.c"
>
> ...it could be your last.
> *************************** MIME MESSAGE ENDS ***************************
>
>
> When pine sees this, it expands:
>
> text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
> '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput
I can't reproduce this.
The pine team has clarified that this depends on the /etc/mailcap file.
Are you able to reproduce the problem in a Debian system, where Debian
pine is supposed to run?
Thanks.
--
"e8fb7ff228ed70cf4e671f94e8f11d50" (a truly random sig)
Severity set to `normal'.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reassigned from package `pine396-src' to `general'.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(full text, mbox, link).
Merged 3309933210.
Request was from Santiago Vila <sanvila@unex.es>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reassigned from package `general' to `mime-support'.
Request was from Brock Rozen <brozen@torah.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reassigned from package `mime-support' to `metamail'.
Request was from Brian White <bcwhite@pobox.com>
to control@bugs.debian.org.
(full text, mbox, link).
Acknowledgement sent to Brian White <bcwhite@pobox.com>:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
To: e9625136@stud3.tuwien.ac.at, 33099-quiet@bugs.debian.org
Subject: Re: metamail bug in /usr/lib/mime/packages/metamail ?
Date: Sat, 31 Mar 2001 09:31:16 -0500
> Sorry for not beeing specific enough, I hope that the other email
> I did sent is a bit more specific though.
Yes, thank you.
> And perhaps I should appology for beeing a bit out of order when
> writting the other 2 mails, but I was simply upset that someone
> assigned a bug without properly specifying anything.
I understand.
> The most interesting words I found attached to the bugs in
> question was a phrase of yours:
>
> "presumably "metamail" judging by the discussion".
>
> Well your reassign message doesn't specify anything. The only
> thing I see is that you didn't verify if the bug is really in
> place or not.
The last bit of information before the bug being assigned to mime-support
was:
-----
> When pine sees this, it expands:
>
> text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
> '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput
I can't reproduce this.
The pine team has clarified that this depends on the /etc/mailcap file.
Are you able to reproduce the problem in a Debian system, where Debian
pine is supposed to run?
-----
A quick search shows that the "shownonascii" program that this rule makes
use of is in the metmail package.
dragon:~/tmp> zgrep shownonascii Contents-i386.gz
usr/bin/shownonascii mail/metamail
usr/share/man/man1/shownonascii.1.gz mail/metamail
Thus, presumably, the rule was added by that package, too.
Reading the bug information reminds me of a similar discussion I just had.
There is no perfect solution for security concerns such as this. There
is, in fact, no guaranteed-safe way to include any kind of shell meta
characters in a string. The only safe thing to do is to have the mime
agent make sure that such characters do not exist in whatever text it
substitutes in to the rule.
Despite what some people would prefer, no combination of single quotes,
double quotes, and backslash-escapes, either by in the rule or added by
the agent, will avoid every security hole and still conform to the RFC.
Brian
( bcwhite@pobox.com )
-------------------------------------------------------------------------------
No man dies except he who has not lived.
Reply sent to e9625136@stud3.tuwien.ac.at:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Edward John M. Brocklesby" <ejb@klamath.lilithfair.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Looking at the history of the bug I judge that there is no need to
keep it open further since there is no *real* solution and the
problem is cleary not related to metamail since the specified
escape sequence is not used by it.
--
kind regards,
Michael Moerz
pub 1024D/B651C436 2000-09-17 Michael Moerz <e9625136@stud3.tuwien.ac.at>
Key fingerprint = 55DB 2F1A BF45 DBAB F542 4128 2173 8753 B651 C436
http://idc19.itm.tuwien.ac.at/~mike/private/mike.public.gpg.key
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.