martin carpenter

contents

most popular
2012/05/05, updated 2012/12/15
ubuntu unity lens for vim
2010/04/14
ckwtmpx

solaris mailx(1) tilde expansion vulnerability

2012/07/18

tags: solaris mailx vulnerability CVE-2012-1750

summary

Any mailx(1) invocation to send email that takes untrusted input in the body of the email can be used to execute arbitrary commands, mail out files. This is due to tilde-escape handling in mailx(1) remaining active even when not executed from an interactive session.

vulnerability details

mailx(1) is a venerable Solaris command line utility for the sending and reading of email that dates all the way back to System V Release 3 in 1986.

As part of its slightly arcane syntax one can write "tilde escapes" into an email's body and these will act as commands to mailx(1). For example, you can read a file into the email body:

~r /path/to/file

or add recipients to the carbon-copy list:

~c alice@example.com

or execute arbitrary commands:

~!/path/to/command

Wait. What?

Many commands have the ability to "shell out" like this (eg vi(1), ftp(1)) and you can see why this could be useful in a world before job control and xterms. But obviously if you're using mailx(1) as a component of a larger system (eg to allow external web users to send comments via an HTML form to your internal support staff) then you certainly wouldn't want untrusted email text from the outside to execute arbitrary commands on your system.

Fortunately the elders thought of this, disabling tilde escapes unless mailx(1) is run from a TTY. There's even a flag to re-enable tilde escapes if you're TTYless and you want to live dangerously:

 -~              Interpret tilde escapes in the input even if
                 not reading from a tty.

Unfortunately this doesn't work in mailx(1) in Solaris 8, 9, 10 or 11. mailx(1) interprets tilde escapes even when it's not invoked from a TTY. The -~ flag is redundant. Oops.

example

alice@sunos:~$ cat foo
#!/bin/sh
mailx -s testing martin.carpenter@gmail.com<<EOF
~r/etc/hosts
~!id
EOF
alice@sunos:~$ ./foo
"/etc/hosts" 26/707
uid=1000(martin) gid=1000(martin)
!
alice@sunos:~$

The output indicates id(1) was run (and at least setgid handling is correct!). The received email contains the requested file:

-----Original Message-----
From: Martin Carpenter [mailto:mcarpenter@testbox.local] 
Sent: Tuesday, January 24, 2012 5:01 PM
To: Carpenter, Martin
Subject: testing

#
# Internet host table
#
...

history

How old is this bug? Oracle support indicate that mailx versions right back to Solaris 8 are affected. Solaris 8 was released in February 2000 so perhaps at least 13 years. (I suspect nobody tested Solaris 7 and down... can't say I blame them). Debian heirloom and BSD mailx doesn't have this problem.

timeline