Re: Security advisory, releases 0.13.2.1 and 0.14.1.1

Archive of RubyForge sup-devel mailing list
 help / color / mirror / Atom feed

From: Gaute Hope <eg@gaute.vetsj.com>
To: sup-devel <sup-devel@rubyforge.org>
Subject: Re: Security advisory, releases 0.13.2.1 and 0.14.1.1
Date: Wed, 30 Oct 2013 09:38:04 +0100	[thread overview]
Message-ID: <1383122092-sup-2694@qwerzila> (raw)
In-Reply-To: <1383043976-sup-2451@qwerzila>

[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]

Excerpts from Gaute Hope's message of 2013-10-29 11:54:58 +0100:
> Greetings,
> 
> Security advisory (#SBU1) for Sup
> 
> We have been notified of an potential exploit in the somewhat careless
> way Sup treats attachment metadata in received e-mails. The issues
> should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
> incorporates these fixes. Please upgrade immediately and also ensure
> that your mime-decode or mime-view hooks are secure [0], [1].
> 
> This is specifically related to using quotes (',") around filename or
> content_type which is already escaped using Ruby Shellwords.escape -
> this means that the string (content_type, filename) is intended to be
> used _without_ any further quotes. Please make sure that if you use
> .mailcap (non OSX systems), you do not quote the string.
> 
> Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
> discovered and suggested fixes for these issues.
> 
> [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
> [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
> 
> You can use 'gem' to upgrade or install sup. Please report any issues
> to: https://github.com/sup-heliotrope/sup/issues
> 
> Regards, Gaute

For those interested; joernchens report at full-disclosure:

* http://seclists.org/fulldisclosure/2013/Oct/272
* http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt (attached)

- gaute


[-- Attachment #2: whatsup.txt --]
[-- Type: text/plain, Size: 1829 bytes --]

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-++->

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        sup <= 0.14.1 (on non Darwin systems)
        sup <= 0.13.2 (on non Darwin systems) 
        http://supmua.org

[ Vendor communication ]
        2013-10-28 Send vulnerability details to sup maintainer
        2013-10-28 Maintainer proposes fix
        2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1]
        2013-10-29 Release of this advisory

[ Description ]

        Observe in sup/lib/sup/message_chunks.rb:

def view_default! path
  ## please see note in write_to_disk on important usage
  ## of quotes to avoid remote command injection.
  case RbConfig::CONFIG['arch']
    when /darwin/
      cmd = "open #{path}"
    else
      cmd = "/usr/bin/run-mailcap --action=view #{ () content_type}:#{path}"
  end
  debug "running: #{cmd.inspect}"
  BufferManager.shell_out(cmd)
  $? == 0
end
   
        Here @content_type is attacker controlled and not further 
        sanitized. By this a forged content type of an email 
        attachment can trigger a command injection.

[ Example ]
        For convenience the email delivering this file serves as an
        example. When viewing this attachment in a vulnerable version
        of sup the content type being  "text/'`id>/tmp/whatsup`'pwn"
        will generate a file "whatsup" in the /tmp directory.

[ Solution ]
        Upgrade to version 0.14.1.1 or 0.13.2.1

[ References ]
        [0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175
        [1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html

[ end of file ]

next prev parent reply	other threads:[~2013-10-30  8:39 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-29 10:54 Gaute Hope
2013-10-30  8:38 ` Gaute Hope [this message]
2013-10-30 13:51   ` [sup-devel] " rara7020 .

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1383122092-sup-2694@qwerzila \
    --to=eg@gaute.vetsj.com \
    --cc=sup-devel@rubyforge.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox