The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The metamail bug

Can folks produce a fix to this if they use metamail. This one is fairly
serious but also we think nobody bad knows about it (yet). I'd like to
get fixes out and it reported to bugtraq by wednesday if possible.


Hi Alan,

Here's the info on metamail I promised to send you. The hole may be
exploitable if you let metamail run showext for messages of type
message/external-body. At least tcsh, and possily a few other csh's,
do seem to do weird things when expanding command line arguments.
If you give a script an argument of "foo FTP=/tmp/evilcmd", and it
does
	set var=$1
this will assign foo to $var, and /tmp/evilcmd to $FTP. Unfortunately,
metamail invokes showext with the mime attributes on the command line,
so you basically send it a header like this

Content-type:  message/external-body;
	access-type="anon-ftp";
	name="passwd";
	site="monad.swb.de";
	directory="/etc";
	mode="image FTP=/tmp/evilcmd"

Further below, the script will run $FTP to initiate the ftp connection.
Up to now, I have not been able to pass arguments to the command, but
that doesn't mean that you can't do interesting things with the above.

The patch is appended below.

Cheers
Olaf
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@lst.de        +-------------------- Why Not?! -----------------------
------------------------------------------------------------------
diff -ur zap/mm2.7/src/bin/showexternal mm2.7/src/bin/showexternal
--- zap/mm2.7/src/bin/showexternal	Tue Feb  8 17:39:05 1994
+++ mm2.7/src/bin/showexternal	Thu Jan 16 12:00:25 1997
@@ -27,26 +27,34 @@
     echo "Usage: showexternal body-file access-type name [site [directory [mode [server]]]]"
     exit -1
 endif
-set bodyfile=$1
+# Check argument integrity. Don't trust mail headers
+switch ("$1$2$3$4$5$6$7")
+case "*[ 	]*":
+	echo "Illegal white space in arguments -- possibly a mail bomb?!"
+	echo "Command was:"
+	echo \'$0\' \'$1\' \'$2\' \'$3\' \'$4\' \'$5\' \'$6\' \'$7\'
+	exit 2
+endsw
+set bodyfile="$1"
 set atype=`echo $2 | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
-set name=$3
+set name="$3"
 if ($#argv > 3) then
-    set site=$4
+    set site="$4"
 else 
     set site=""
 endif
 if ($#argv > 4) then
-    set dir=$5
+    set dir="$5"
 else
     set dir=""
 endif
 if ($#argv > 5) then
-    set mode=$6
+    set mode="$6"
 else
     set mode=""
 endif
 if ($#argv > 6) then
-    set server=$7
+    set server="$7"
 else
     set server=""
 endif
diff -ur zap/mm2.7/src/bin/showpartial mm2.7/src/bin/showpartial
--- zap/mm2.7/src/bin/showpartial	Thu Feb  3 00:21:29 1994
+++ mm2.7/src/bin/showpartial	Thu Jan 16 11:48:59 1997
@@ -11,14 +11,14 @@
     echo "Usage:  showpartial file id partnum totalnum"
     exit -1
 endif
-set file=$1
+set file="$1"
 # This next line is because message-id can contain weird chars
-set id=`echo $2 | tr -d  \!\$\&\*\(\)\|\'\"\;\/\<\>\\` 
-@ partnum = $3
+set id=`echo "$2" | tr -d  \!\$\&\*\(\)\|\'\"\;\/\<\>\\` 
+@ partnum = "$3"
 if ($#argv == 3 || $4 == "") then
     set totalnum=-1
 else
-    @ totalnum = $4
+    @ totalnum = "$4"
 endif
 
 if (! -d  $TREEROOT)  then


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .