Re: remote exploit on pine 4.10 - neverending story?

[roessler () GUUG DE (Thomas Roessler)]

This bug exhibits a general mailcap design problem, actually some
apparent lack of clarity in RFC 1524: The mailcap format
specification does not define where quoting takes place.  As a
result, users tend to do quoting manually using constructs like
"%..." or '%...'.  Software tends not to do _any_ quoting of its
own.

Why this means begging for desaster is obvious: Attackers can
construct strings with appropriate shell metacharacters to trick
users into executing arbitrary shell commands - just like Michael
demonstrated for this special case.

The only proper solution is that users MUST NOT perform any quoting
on their own in mailcap files, and that software MUST perform proper
shell quoting when expanding the %{something} strings.  "Proper
shell quoting" means to put the complete string into single quotes
and to replace any ' inside the string by the sequence of characters
'\''.  (Note that this is already in some Unix programming FAQ.)

"Simply" trying to escape or wipe out shell metacharacters will also
be a recipe for problems.  Think about certain bash versions'
handling of (as far as I recall) \xff as a word separator.

tlr
--
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
     2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1