From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost ([128.39.46.106]) by mx.google.com with ESMTPSA id m13sm19266965lbo.11.2013.10.30.01.39.16 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Oct 2013 01:39:16 -0700 (PDT) From: Gaute Hope To: sup-devel Subject: Re: Security advisory, releases 0.13.2.1 and 0.14.1.1 In-reply-to: <1383043976-sup-2451@qwerzila> References: <1383043976-sup-2451@qwerzila> Date: Wed, 30 Oct 2013 09:38:04 +0100 Message-Id: <1383122092-sup-2694@qwerzila> User-Agent: Sup/git Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-1383122284-44028-14445-2481-2-=" --=-1383122284-44028-14445-2481-2-= Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Excerpts from Gaute Hope's message of 2013-10-29 11:54:58 +0100: > Greetings, > > Security advisory (#SBU1) for Sup > > We have been notified of an potential exploit in the somewhat careless > way Sup treats attachment metadata in received e-mails. The issues > should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which > incorporates these fixes. Please upgrade immediately and also ensure > that your mime-decode or mime-view hooks are secure [0], [1]. > > This is specifically related to using quotes (',") around filename or > content_type which is already escaped using Ruby Shellwords.escape - > this means that the string (content_type, filename) is intended to be > used _without_ any further quotes. Please make sure that if you use > .mailcap (non OSX systems), you do not quote the string. > > Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who > discovered and suggested fixes for these issues. > > [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments > [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup > > You can use 'gem' to upgrade or install sup. Please report any issues > to: https://github.com/sup-heliotrope/sup/issues > > Regards, Gaute For those interested; joernchens report at full-disclosure: * http://seclists.org/fulldisclosure/2013/Oct/272 * http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt (attached) - gaute --=-1383122284-44028-14445-2481-2-= Content-Disposition: attachment; filename="whatsup.txt" Content-Type: text/plain; name="whatsup.txt" Content-Transfer-Encoding: quoted-printable Phenoelit Advisory [ Authors ] joernchen Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] sup <=3D 0.14.1 (on non Darwin systems) sup <=3D 0.13.2 (on non Darwin systems) = http://supmua.org [ Vendor communication ] 2013-10-28 Send vulnerability details to sup maintainer 2013-10-28 Maintainer proposes fix 2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1] 2013-10-29 Release of this advisory [ Description ] Observe in sup/lib/sup/message_chunks.rb: def view_default! path ## please see note in write_to_disk on important usage ## of quotes to avoid remote command injection. case RbConfig::CONFIG['arch'] when /darwin/ cmd =3D "open #{path}" else cmd =3D "/usr/bin/run-mailcap --action=3Dview #{ () content_type}:#= {path}" end debug "running: #{cmd.inspect}" BufferManager.shell_out(cmd) $? =3D=3D 0 end = Here @content_type is attacker controlled and not further = sanitized. By this a forged content type of an email = attachment can trigger a command injection. [ Example ] For convenience the email delivering this file serves as an example. When viewing this attachment in a vulnerable version of sup the content type being "text/'`id>/tmp/whatsup`'pwn" will generate a file "whatsup" in the /tmp directory. [ Solution ] Upgrade to version 0.14.1.1 or 0.13.2.1 [ References ] [0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff= 6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175 [1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.h= tml [ end of file ] --=-1383122284-44028-14445-2481-2-=--