From: SMTP%"PROBLEMS@TDR.COM" 9-APR-1994 10:20:27.20 To: EVERHART CC: Subj: 0021 - Mail or News can cause serious security holes Date: Sat, 09 Apr 1994 01:45:00 -0500 (EST) Message-Id: <94-0021.PROBLEMS@TDR.COM> Organization: Tansin A. Darcos & Company, Silver Spring, MD USA From: Problem Reporting Service Subject: 0021 - Mail or News can cause serious security holes Errors-To: MAIL-ERRORS@TDR.COM To: Recipients of list Problems Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Organization: Tansin A. Darcos & Company, Silver Spring, MD USA ----- System: Any system having mail or news where the programs accept command streams in messages. Usually Unix-based 'mail' or equivalents. Summary: Some systems allow the tilde character ("~") when used as the first character of a mail message, to be used as an 'escape' sequence to issue a command. This command, in some cases, could include the ! shell escape and a command to be issued, and the command could be accepted even from some non-interactive invocations, causing undesirable results, especially if the calling process has priveleges! Reported-By: Various plus personal experience Interest-To: Anyone using a mailer or news processor that allows commands as part of the text stream. Explanation: In some mailers, the tilde character ~ when used as the first character in the line, is used to signal a command to the mailer or certain other programs. This "tilde escape" as it is referred to, could also include the "shell escape" as "~!" and thus issue a system command. This could be a problem for some systems handling commands in newsgroups such as the mkgroup / rmgroup and other control features (except 'cancel' which allegedly isn't that dangerous). I have seen it myself in that sometimes I will mail myself or someone else an article I saw in a newsgroup, and are irritated because I got a message back indicating an error (usually because someone has a signature that starts with ~ and is in column 1). I never thought about it until someone mentioned this. Some systems have news to mail (and vice-versa) gateways. If the account that processes the messages has priveleges, and uses a mailer that accepts tilde escapes in non-interactive mode... I shudder to think about it. Or just think of the poor guy who suffers through explaining why he tried to erase every file on the system, because some slime decided to put the line: ~!'rm' -rf / & in column 1 of his message that the user tried to mail to someone, erasing some public files of some people on the system and probably his private ones as well, plus detaching itself to make it harder to stop until it's done more damage. Or worse if it's the administrator who discovers everything gets deleted. Repair or Correction: With today's full-screen mailers, and all the other nice features, I think a tilde escape is a dangerous feature that should not be present. Even in interactive mode. Switch to a mailer that does not provide this feature. Also, software doing mail and/or news processing probably should not be priveleged. If you need priveleges, for example for moving files, send them via a daemon that does nothing but move certain files from one account to another. ------ Feel free to circulate this or other PROBLEMS messages. To Reply to this message, write to ; to subscribe use newsgroup or write .