Debian Security Advisory
metamail -- It may be possible to make metamail execute arbitrary commands
- Date Reported:
- 09 Apr 1997
- Affected Packages:
- Security database references:
- No other external database security references currently available.
- More information:
Original submitter of the report: Olaf Kirch <email@example.com>
The hole may be exploitable if you let metamail run showext for messages of type message/external-body. At least tcsh, and possibly a few other csh's, do seem to do weird things when expanding command line arguments. If you give a script an argument of "foo FTP=/tmp/evilcmd", and it does
this will assign foo to $var, and /tmp/evilcmd to $FTP. Unfortunately, metamail invokes showext with the MIME attributes on the command line, so you basically send it a header like this
Content-type: message/external-body; access-type="anon-ftp"; name="passwd"; site="monad.swb.de"; directory="/etc"; mode="image FTP=/tmp/evilcmd"
Further below, the script will run $FTP to initiate the FTP connection. Up to now, I have not been able to pass arguments to the command, but that doesn't mean that you can't do interesting things with the above.
[Patch removed due to age.]