Bugtraq mailing list archives
Re: remote exploit on pine 4.10 - neverending story?
From: roessler () GUUG DE (Thomas Roessler)
Date: Mon, 8 Feb 1999 18:13:53 +0100
This bug exhibits a general mailcap design problem, actually some apparent lack of clarity in RFC 1524: The mailcap format specification does not define where quoting takes place. As a result, users tend to do quoting manually using constructs like "%..." or '%...'. Software tends not to do _any_ quoting of its own. Why this means begging for desaster is obvious: Attackers can construct strings with appropriate shell metacharacters to trick users into executing arbitrary shell commands - just like Michael demonstrated for this special case. The only proper solution is that users MUST NOT perform any quoting on their own in mailcap files, and that software MUST perform proper shell quoting when expanding the %{something} strings. "Proper shell quoting" means to put the complete string into single quotes and to replace any ' inside the string by the sequence of characters '\''. (Note that this is already in some Unix programming FAQ.) "Simply" trying to escape or wipe out shell metacharacters will also be a recipe for problems. Think about certain bash versions' handling of (as far as I recall) \xff as a word separator. tlr -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
Current thread:
- Re: Cyrix bug: freeze in hell, badboy John Byrne (Feb 05)
- Re: Cyrix bug: freeze in hell, badboy Phillip R. Jaenke (Feb 05)
- HP-UX 11.0/800 patches leave suid binaries Lamont Granquist (Feb 05)
- Re: HP-UX 11.0/800 patches leave suid binaries Olle Segerdahl,D (Feb 08)
- Re: Cyrix bug: freeze in hell, badboy Ragnar Hojland Espinosa (Feb 06)
- remote exploit on pine 4.10 - neverending story? Michal Zalewski (Feb 07)
- Re: remote exploit on pine 4.10 - neverending story? Thomas Roessler (Feb 08)
- Re: remote exploit on pine 4.10 - neverending story? John D. Hardin (Feb 08)
- Possible Security Problem: Fake PGP Key Ben Laurie (Feb 08)
- ISS Internet Scanner Cannot be relied upon for conclusive Audits Mr. joej (Feb 07)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive blkadder () VALUE NET (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive BVE (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Jim Trocki (Feb 11)
- How scanners actually work David LeBlanc (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 08)
- Sendmail 8.9.3 Patrick Oonk (Feb 09)