Pine E-mail Client Allows Remote Users to Send Malicious URLs Within a Message That Will Execute Arbitrary Shell Commands on the Recipient's Host When the URL is Loaded
|
|
SecurityTracker Alert ID: 1003111 |
|
SecurityTracker URL: http://securitytracker.com/id/1003111
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jan 10 2002
|
Original Entry Date: Jan 5 2002
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.43 and prior versions for the vendor release
|
Description:
FreeBSD reported a vulnerability in the Pine e-mail client. A remote user could send a mail message to another user containing a malicious URL that, if followed, could cause arbitrary shell commands to be executed on the recipient's host.
It is reported that Pine does not handle certain URLs in a secure manner. A remote user can create and send a mail message containing a URL with certain meta-characters such that, if the recipient follows the URL link, will cause arbitrary shell commands to be passed by the recipient's Pine mail client as arguments to a call to the recipient's web browser. Arbitrary shell commands will be executed on the recipient's host with the privileges of the recipient.
A remote user can reportedly supply commands enclosed in single quotes ('') in a URL embedded within an email message to exploit the vulnerability. When the URL is loaded by the recipient, Pine will apparently launch a command shell and execute the remote user's commands with the privileges of the recipient. It is reported that the malicious commands can be obfuscated so that the recipient may not be aware that the URL is malicious.
FreeBSD credits zen-parse with reporting this bug.
|
Impact:
A remote user can cause arbitrary shell commands to be executed by a Pine user when the Pine user follows a URL link embedded within an email message sent by the remote user.
|
Solution:
For FreeBSD users, a fixed version is available (see the information below).
For other (non-FreeBSD) users, a fixed version (4.44) is available at the Vendor URL.
For FreeBSD users, the following solution is provided:
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.44.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.44.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at this time due to lack of build resources.
3) Download a new port skeleton for the pine port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
|
Vendor URL: www.washington.edu/pine/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 4 Jan 2002 17:04:50 -0800 (PST)
Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:05.pine
|
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:05 Security Advisory
FreeBSD, Inc.
Topic: pine port insecure URL handling
Category: ports
Module: pine
Announced: 2002-01-04
Credits: zen-parse <zen-parse@gmx.net>
Affects: Ports collection prior to the correction date
Corrected: 2001-10-05 08:41:39 UTC
FreeBSD only: NO
I. Background
PINE is an application for reading mail and news.
II. Problem Description
The pine port, versions previous to pine-4.40, handles URLs in
messages insecurely. PINE allows users to launch a web browser to
visit a URL embedded in a message. Due to a programming error, PINE
does not properly escape meta-characters in the URL before passing it
to the command shell as an argument to the web browser.
The pine port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
over 6000 third-party applications in a ready-to-install format. The
ports collection shipped with FreeBSD 4.4 contains this problem since
it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
An attacker can supply commands enclosed in single quotes ('') in a
URL embedded in a message sent to the victim. If the user then
decides to view the URL, PINE will launch a command shell which will
then execute the attacker's commands with the victim's privileges. It
is possible to obfuscate the URL so that it will not necessarily seem
dangerous to the victim.
IV. Workaround
1) Deinstall the pine port/package if you have it installed.
V. Solution
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.43.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.43.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) Download a new port skeleton for the pine port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD source
Path Revision
- -------------------------------------------------------------------------
ports/mail/pine4/Makefile 1.58
ports/mail/pine4/distinfo 1.18
ports/mail/pine4/files/patch-aa 1.4
ports/mail/pine4/files/patch-ac 1.11
ports/mail/pine4/files/patch-af 1.12
ports/mail/pine4/files/patch-ai 1.11
ports/mail/pine4/files/patch-aj 1.5
ports/mail/pine4/files/patch-ak 1.6
ports/mail/pine4/files/patch-al 1.10
ports/mail/pine4/files/patch-am 1.6
ports/mail/pine4/files/patch-an 1.5
ports/mail/pine4/files/patch-ap 1.3
ports/mail/pine4/files/patch-at 1.6
ports/mail/pine4/files/patch-au 1.4
ports/mail/pine4/files/patch-ax 1.4
ports/mail/pine4/files/patch-az 1.3
ports/mail/pine4/files/patch-be 1.1
ports/mail/pine4/files/patch-bf 1.1
ports/mail/pine4/files/patch-bg 1.1
ports/mail/pine4/files/patch-reply.c 1.2
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPDZOCFUuHi5z0oilAQG65gQAjdGuLydxrCswe9trnfOXIKqTkYll/iP7
7atJipzI+RvYjCzNu/nVItCM+jjGSDvSzF1/OUStAUNM2OZY7hqneSPHed8wTyX8
BU7ZNVlLEDsoZc1nWkUpqBkacPLPq6F7k1YbzMO1xVqIzewmXTpaQzmoKNW/ndIO
T108lLHqDVE=
=Ry2Q
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message
|
|
