**************************************************************************
Security Bulletin 9710 DISA Defense Communications System
May 22, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL)
1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9615.txt). They are also available on our WWW site at http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
- -----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a vulnerability in metamail, a program that implements MIME. By exploiting the vulnerability, a sender of a MIME-encoded electronic mail message can cause the receiver of the message to execute an arbitrary command if the receiver processes the message using the metamail package. If the attacker has an account on the target user's local system or if the target user's system supports AFS or another distributed filesystem, then the attacker can arrange for the arbitrary command to be one the attacker created. This affects versions of metamail through 2.7 (the current version).
The CERT/CC team recommends installing a vendor patch, if one is available, patching metamail yourself, or disabling metamail (see Section III).
We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
Multipurpose Internet Mail Extensions (MIME) is a standard format for extended Internet electronic mail. The MIME format permits email to include enhanced text, graphics, and audio in a standardized and interoperable manner. MIME is described in RFCs 2045 through 2049.
metamail is a package that implements MIME (note: metamail can be obtained from ftp://ftp.funet.fi/pub/unix/mail/metamail/mm2.7.tar.Z). Using a configurable "mailcap" file, metamail determines how to treat blocks of electronic mail text based on the content as described by email headers. Some popular packages for handling electronic mail have hooks that allow metamail to be called automatically while a message is being processed.
A condition exists in metamail in which there is
insufficient variable checking in some support scripts. By carefully
crafting appropriate message headers, a sender can cause the receiver
of the message to execute an arbitrary command if the receiver
processes the message using the metamail package.
A sender of a MIME encoded mail message can cause
the receiver to execute an arbitrary command. If the attacker
has an account on the target user's local system or if the target
user's system supports AFS or another distributed filesystem,
then the attacker can arrange for the arbitrary command to be
one the attacker created.
If your vendor supplies metamail with its distribution, then install a patch from your vendor (Solution A). If your vendor does not distribute metamail with their products or does not have a patch available, use the workaround in Solution B. An alternative for those with sufficient expertise is to patch the metamail scripts as described in Solution C.
The vendors we have heard from so far are listed below, with details in Appendix A. We will update the appendix as we receive more information.
To disable the metamail scripts, remove the execute permissions from the scripts that are located in the mm2.7/src/bin directory of metamail v2.7 (the latest version of metamail). Remember that, depending on your installation of metamail, the scripts may be located in other directories in your operating system.
Sites that need to use metamail and have the expertise may wish to patch the scripts that are part of the metamail distribution. Note that the guidance below is supplied as is, and you need to be sure that you understand the impact (if any) that your modifications will have on metamail functionality.
The scripts referred to in the following material are all located in the mm2.7/src/bin directory of metamail v2.7 (the latest version of metamail). They may be located in other directories in your operating system.
Add this code to the showexternal script at the very least, prior to any argument processing within that script. We encourage you to add this code to other scripts in mm2.7/src/bin directory to ensure that arguments in those scripts also exclude white space. You may need to adapt the code for your particular system.
Note that this patch may affect functionality in cases (such as filenames) where parameters may have legitimately included white space.
This step addresses the problem referred to in this advisory. As part of a more generally secure programming practice, please also consider the following modifications.
This should be done for every reference to a command line argument in each of the scripts.
Note that csh has a :q operator which is also intended for this purpose. If you prefer, you can use this operator in each case instead of quoting.
Also change the following line:
Similarly, there will be other instances where $name specifically, and other variables in general, should be quoted. The reason is that these variables take their value from the script parameters (for example, $name takes its value from $3, and $NEWNAME may take its value from $name).
As before, the :q operator can be used in each case.
Note that in doing this step, some care will be required.
set METAMAIL_TMPDIR=/tmp
endif
to
# Set a sensible value for the temporary directory, if its not
# already set. If TMPDIR is set previously, then we will
# assume it is adequately protected.
if (! $?METAMAIL_TMPDIR) then
if ($?TMPDIR) then
set METAMAIL_TMPDIR="$TMPDIR"
else
set METAMAIL_TMPDIR=~/metamail_tmp
endif
endif
if (! -e "$METAMAIL_TMPDIR") then
mkdir "$METAMAIL_TMPDIR"
else
echo "$METAMAIL_TMPDIR exists, but is not a directory"
exit 2
endif
if ( $status != 0 || ! -d "$METAMAIL_TMPDIR" ) then
endif
endif
...........................................................................
Appendix A - Vendor Information
Below is a list of the vendors who have provided
information for this advisory. We will update this appendix as
we receive additional information. If you do not see your vendor's
name, please contact the vendor directly or use the workaround
in Section III.
Cray Research does not ship metamail as part of either Unicos or Unicos/mk.
This reported problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software.
=============
If you installed the metamail package or port then you are vulnerable. All released versions of FreeBSD including 2.2.2R have this flaw in them. The port was corrected as of May 30, 1997. Either update your system from a more recent port, or apply the patches contained in this advisory to those files affected.
HP-UX is vulnerable; patches are in progress.
Not vulnerable, metamail is not shipped as part of AIX.
IBM and AIX are registered trademarks of International Business Machines Corporation.
Debian:
Debian uses its own bourne shell based metamail scripts not the standard ones.
Red Hat:
All versions of Red Hat are vulnerable. A replacement RPM is available
at
ftp://ftp.redhat.com/pub/redhat/updates/4.1/i386/metamail-2.7-7.i386.rpm
UX/4800 Not vulnerable for all versions.
EWS-UX/V(Rel4.2MP) Not vulnerable for all versions.
EWS-UX/V(Rel4.2) Not vulnerable for all versions.
UP-UX/V(Rel4.2MP) Not vulnerable for all versions.
EWS-UX/V(Rel4.0) Not vulnerable for all versions.
UP-UX/V Not vulnerable for all versions.
=====================
At this time, Silicon Graphics does not have any public information for the metamail issue. Silicon Graphics has communicated with CERT and other external security parties and is actively investigating this issue. When more Silicon Graphics information (including any possible patches) is available for release, that information will be released via the SGI security mailing list, wiretap.
For subscribing to the wiretap mailing list and other SGI security related information, please refer to the Silicon Graphics Security Headquarters website located at:
http://www.sgi.com/Support/Secur/security.html
We do not ship the utility.
We do not anticipate providing a patch, since we do not ship the utility.
Sun Microsystems, Inc.
======================
- -----------------------------------------------------------------------------
The CERT Coordination Center staff thanks Olaf Kirch for contributing code to the solution section and thanks BSDI and FreeBSD for their input on the solution.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised,
contact the CERT Coordination Center or your representative in
the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/).
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during
other hours.
Fax +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
ftp://info.cert.org/pub/CERT_PGP.key
CERT publications and other security information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U.S. Department of Defense.
- ---------------------------------------------------------------------------
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government.
The opinions of the authors expressed herein do not necessarily
state or reflect those of the United States Government, and shall
not be used for advertising or product endorsement purposes.