next message in archive
no next message in thread
previous message in archive
Index of Subjects
This is a multi-part message in MIME format.
--------------0BAAA860712AFB497F9B16A1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
http://www.washington.edu/pine/pine-info/1999.02/msg00045.html
=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp
It doesn't appear as if this has been extensively tested yet but...
Here's the meat of the referenced message.... do we have someone who can
make this change to Pine... dlp
=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp=dlp
I have slammed together a fix which seems to close this exploit. Diff's
attached.
Obviously my patch needs to be tested to ensure it doesn't still allow
a similar attack.
-Dan Wing
dwing@cisco.com
*** ../../pine4.10-original/pine/mailcap.c Wed Nov 18 10:00:15 1998
--- mailcap.c Mon Feb 8 10:21:53 1999
***************
*** 912,917 ****
--- 912,922 ----
*to++ = '\\';
*to++ = '\''; /* below will be opening
quote */
}
+ #ifdef DANWING
+ if(*p == '`') {
+ *to++ = '\\';
+ }
+ #endif
*to++ = *p;
}
--------------0BAAA860712AFB497F9B16A1
Content-Type: text/html; charset=us-ascii; name="msg00045.html"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="msg00045.html"
Content-Base: "http://www.washington.edu/pine/pine-in
fo/1999.02/msg00045.html"
<!--X-Subject: Re: BUGTRAQ >> remote exploit on pine 4.10 - neverending story? -->
<!--X-From: Dan Wing <dwing@cisco.com> -->
<!--X-Date: Mon, 8 Feb 1999 10:32:50 -0800 (PST) -->
<!--X-Message-Id: Pine.4.10.dwing.9902081027140.2379-200000@pita.cisco.com -->
<!--X-ContentType: multipart/mixed -->
<!--X-Reference-Id: 199902081326.IAA02716@ocalhost -->
<!--X-Head-End-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
"http://www.w3.org/TR/REC-html40/strict.dtd">
<HTML>
<HEAD>
<TITLE>Re: BUGTRAQ >> remote exploit on pine 4.10 - neverending story?</TITLE>
<LINK REL="stylesheet" HREF="/home/home.css" TYPE="text/css">
<LINK REV="made" HREF="mailto:dwing@cisco.com">
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
</HEAD><BODY>
<SMALL>This is one of many messages in the archives of the public,
unmoderated <A HREF="/pine/pine-info/"><STRONG>Pine-Info
mailing list</STRONG></A>.
The mailing list, and this archive, are provided as a
public service by the University of Washington, which assumes no
responsibility for the contents or accuracy of the messages therein.</SMALL>
<P><B>
The subject of this mailing list is the
email and newsreading program Pine; please do not send
messages on entirely unrelated matters to the list.
</B><P>
Before sending a question to the mailing
list, consider checking whether it was
already asked and answered before by using the archives'
searchable index.<P>
<!--X-Body-Begin-->
<!--X-User-Header-->
<!--X-User-Header-End-->
<!--X-TopPNI-->
<HR>
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<H1>Re: BUGTRAQ >> remote exploit on pine 4.10 - neverending story?</H1>
<HR>
<!--X-Subject-Header-End-->
<UL>
<LI><em>To</em>: Pine Discussion Forum <pine-info@u.washington.edu></LI>
<LI><em>Subject</em>: Re: BUGTRAQ >> remote exploit on pine 4.10 - neverending story?</LI>
<LI><em>From</em>: Dan Wing <dwing@cisco.com></LI>
<LI><em>Date</em>: Mon, 8 Feb 1999 10:32:50 -0800 (PST)</LI>
<LI><em>In-Reply-To</em>: <199902081326.IAA02716@ocalhost></LI>
<LI><em>Sender</em>: PINE-INFO-owner@u.washington.edu</LI>
</UL>
<!--X-Head-Body-Sep-Begin-->
<HR>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<PRE>
On Mon, 8 Feb 1999 08:26 -0500, Timothy J Luoma wrote:
I have slammed together a fix which seems to close this exploit. Diff's
attached.
Obviously my patch needs to be tested to ensure it doesn't still allow
a similar attack.
-Dan Wing
dwing@cisco.com
> Message-ID: <Pine.LNX.4.05.9902072346030.924-100000@nimue.ids.pl>
> Date: Mon, 8 Feb 1999 00:22:17 +0100
> Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
> Sender: Bugtraq List <BUGTRAQ@netspace.org>
> From: Michal Zalewski <lcamtuf@IDS.PL>
> Subject: remote exploit on pine 4.10 - neverending story?
> To: BUGTRAQ@netspace.org
>
> Affected systems:
> -----------------
>
> Any Un*x system running 'pine' up to version 4.10 (latest).
>
> Compromise:
> -----------
>
> Remote execution of arbitrary code when message is viewed.
>
> Details:
> --------
>
> About five months ago, I reported vunerability in metamail package used
> with pine. I also noticed that '`' character is incorrectly expanded by
> pine. Problem has been ignored (probably noone understood what I am
> talking about?;-). But no matter. An exception from /etc/mailcap:
>
> text/plain; shownonascii iso-8859-1 %s; test=test "`echo %{charset} | tr
> '[A-Z]' '[a-z]'`" = iso-8859-1; copiousoutput
>
> Impact:
> -------
>
> And now, ladies and gentelmen - my old bug, reinvented. Usually, above
> mailcap line is expanded to:
>
> [...] execve </bin/sh> (sh) (-c) (test "`echo 'US-ASCII' | tr '[A-Z]'
> '[a-z]'`" = iso-8859-1)
>
> Hmm, but take a look at this message:
>
> ************************** MIME MESSAGE FOLLOWS **************************
> From: Attacker <attacker@eleet.net>
> To: Victim <victim@somewhere.net>
> Subject: Happy birthday
> ...
>
> MIME-Version: 1.0
> Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset='US-ASCII'
>
> Make a wish...
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
> Content-Transfer-Encoding: BASE64
> Content-Description: wish
> Content-Disposition: attachment; filename="wish.c"
>
> ...it could be your last.
>
> *************************** MIME MESSAGE ENDS ***************************
>
> The result is:
>
> [...] execve </bin/sh> (sh) (-c) (test "`echo '``touch${IFS}ME``' | tr
> '[A-Z]' '[a-z]'`" = iso-8859-1)
>
> ...and arbitrary code ('touch ME', encoded using ${IFS} trick) is
> executed when message is viewed.
>
> Fix:
> ----
>
> Well, it's the second time I report problems with ` in headers.
> Maybe pine developers should wait a little longer ;-)
>
> _______________________________________________________________________
> Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
> [lunete.nfi.pl SYSADM] [<http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:
> [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
> Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
>
>
>
</PRE>
<PRE>
*** ../../pine4.10-original/pine/mailcap.c Wed Nov 18 10:00:15 1998
--- mailcap.c Mon Feb 8 10:21:53 1999
***************
*** 912,917 ****
--- 912,922 ----
*to++ = '\\';
*to++ = '\''; /* below will be opening quote */
}
+ #ifdef DANWING
+ if(*p == '`') {
+ *to++ = '\\';
+ }
+ #endif
*to++ = *p;
}
</PRE>
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<HR>
<STRONG>References</STRONG>:
<UL>
<LI><STRONG>BUGTRAQ >> remote exploit on pine 4.10 - neverending story?</STRONG></LI>
<UL>
<LI><EM>From</EM>: Timothy J Luoma <public@fdt.net></LI>
</UL>
</UL>
<!--X-References-End-->
<!--X-BotPNI-->
<HR>
[Index]
[Thread]
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<P style="text-align: center; font-weight: bold; font-family: sans-serif, helvetica, arial; background-color: transparent">
<A HREF="/pine/"><IMG SRC="/home/graphics/arrow.gif" ALT="" BORDER="0">
Pine Information Center homepage</A></P>
</BODY>
</HTML>
--------------0BAAA860712AFB497F9B16A1--
next message in archive
no next message in thread
previous message in archive
Index of Subjects