On Fri, 8 Nov 2002, Florian Weimer wrote: Hi, > Sebastian Krahmer <krahmer@suse.de> writes: > > > The SuSE Security Team reviewed critical Perl modules, including > > the Mail::Mailer package. This package contains a security hole > > which allows remote attackers to execute arbitrary commands in > > certain circumstances. This is due to the usage of mailx as > > default mailer which allows commands to be embedded in the mail > > body. > > The well-known case of command execution through mail bodies processed > by mailx (~! SHELL-COMMAND) only affects certain mailx versions. Some > vendors (including SuSE and Red Hat) base their packages on > mailx-8.1.1 (probably a snapshot from the OpenBSD CVS from summer 1997 > or something like this), which behaves as documented in the manpage > (no escape character processing unless stdin is a terminal), and are > not affected. This is only true when -I switch is not given. Unfortunally Mail::Mailer adds -I to the commandline. So it does not need fd 0 to be a tty. > > The following change in OpenBSD (re)introduced the problem: > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.19&r2=1.20&f=u > > And this change corrects it again: > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24 > > Only very few vendors based their package on one of the version > between 1.20 and 1.23 (including). Debian once used one of the > affected versions, but Debian GNU/Linux 3.0 (woody) includes the 1.24 > version and is safe. > > However, it's still a good idea to ditch /bin/mail, as provided by > mailx: > > $ mail "| echo nice feature@localhost" < /dev/null > No message, no subject; hope that's ok > nice feature...@localhost > $ Yes, this has been the second reason. I can point you to the full analyzation of the problems and exploit-mails which may trigger arbitrary code execution if you want. BTW, the maintainer of Mail::Mailer told me that using Mail::Mailer is depricated anyways, one should rather use Mail::Box and its friends, where recent mailx problem could also hit you and has been fixed too. The manpage will point out clearly that 'mail' is not the right type to send mail. regards, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
