Security Information / 1997 / Security Information -- metamail

Debian Security Advisory

metamail -- It may be possible to make metamail execute arbitrary commands

Date Reported:

09 Apr 1997

Affected Packages:

metamail

Vulnerable:

No

Security database references:

No other external database security references currently available.

More information:

Original submitter of the report: Olaf Kirch <okir@lst.de>

The hole may be exploitable if you let metamail run showext for messages of type message/external-body. At least tcsh, and possibly a few other csh's, do seem to do weird things when expanding command line arguments. If you give a script an argument of "foo FTP=/tmp/evilcmd", and it does

	set var=$1

this will assign foo to $var, and /tmp/evilcmd to $FTP. Unfortunately, metamail invokes showext with the MIME attributes on the command line, so you basically send it a header like this

   Content-type:  message/external-body;
	   access-type="anon-ftp";
	   name="passwd";
	   site="monad.swb.de";
	   directory="/etc";
	   mode="image FTP=/tmp/evilcmd"

Further below, the script will run $FTP to initiate the FTP connection. Up to now, I have not been able to pass arguments to the command, but that doesn't mean that you can't do interesting things with the above.

[Patch removed due to age.]