'[Full-disclosure] Advisory: sup MUA Command Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Advisory: sup MUA Command Injection
From:       joernchen <joernchen () phenoelit ! de>
Date:       2013-10-29 12:29:57
Message-ID: 20131029122957.GC1273 () localhost ! Speedport_W_722V_Typ_B
[Download RAW message or body]

Hi,

FYI, see attached.

Cheers,

joernchen
-- 
joernchen ~ Phenoelit
<joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

["whatsup.txt" (text/'`id>/tmp/whatsup`'pwn)]

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-++->

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        sup <= 0.14.1 (on non Darwin systems)
        sup <= 0.13.2 (on non Darwin systems) 
        http://supmua.org

[ Vendor communication ]
        2013-10-28 Send vulnerability details to sup maintainer
        2013-10-28 Maintainer proposes fix
        2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1]
        2013-10-29 Release of this advisory

[ Description ]

        Observe in sup/lib/sup/message_chunks.rb:

def view_default! path
  ## please see note in write_to_disk on important usage
  ## of quotes to avoid remote command injection.
  case RbConfig::CONFIG['arch']
    when /darwin/
      cmd = "open #{path}"
    else
      cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}"
  end
  debug "running: #{cmd.inspect}"
  BufferManager.shell_out(cmd)
  $? == 0
end
   
        Here @content_type is attacker controlled and not further 
        sanitized. By this a forged content type of an email 
        attachment can trigger a command injection.

[ Example ]
        For convenience the email delivering this file serves as an
        example. When viewing this attachment in a vulnerable version
        of sup the content type being  "text/'`id>/tmp/whatsup`'pwn"
        will generate a file "whatsup" in the /tmp directory.

[ Solution ]
        Upgrade to version 0.14.1.1 or 0.13.2.1

[ References ]
        [0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175
                
        [1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html

[ end of file ]



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic