mailx(1) invocation to send email that takes untrusted input
in the body of the email can be used to execute arbitrary commands,
mail out files. This is due to tilde-escape handling in
remaining active even when not executed from an interactive session.
mailx(1) is a venerable Solaris command line utility for the
sending and reading of email that dates all the way back to
System V Release 3
As part of its slightly arcane syntax one can write "tilde escapes"
into an email's body and these will act as commands to
example, you can read a file into the email body:
or add recipients to the carbon-copy list:
or execute arbitrary commands:
Many commands have the ability to "shell out" like this (eg
ftp(1)) and you can see why this could be useful
in a world before job control and xterms. But obviously if you're
mailx(1) as a component of a larger system (eg to allow
external web users to send comments via an HTML form to your internal
support staff) then you certainly wouldn't want untrusted email text
from the outside to execute arbitrary commands on your system.
Fortunately the elders thought of this, disabling tilde escapes
mailx(1) is run from a TTY. There's even a
flag to re-enable tilde escapes if you're TTYless and you want to
-~ Interpret tilde escapes in the input even if not reading from a tty.
Unfortunately this doesn't work in
mailx(1) in Solaris 8, 9, 10 or 11.
mailx(1) interprets tilde escapes even when it's not invoked from a
-~ flag is redundant. Oops.
alice@sunos:~$ cat foo #!/bin/sh mailx -s testing email@example.com<<EOF ~r/etc/hosts ~!id EOF alice@sunos:~$ ./foo "/etc/hosts" 26/707 uid=1000(martin) gid=1000(martin) ! alice@sunos:~$
The output indicates
id(1) was run (and at least setgid handling is
correct!). The received email contains the requested file:
-----Original Message----- From: Martin Carpenter [mailto:firstname.lastname@example.org] Sent: Tuesday, January 24, 2012 5:01 PM To: Carpenter, Martin Subject: testing # # Internet host table # ...
How old is this bug? Oracle support indicate that
mailx versions right
back to Solaris 8 are affected. Solaris 8 was released in February
2000 so perhaps at least 13 years. (I suspect nobody tested Solaris
7 and down... can't say I blame them). Debian heirloom and BSD
doesn't have this problem.