On Tue, 3 Feb 2004 09:34:47 -0800
Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Chris Higgins (chris.higgins at darach.ie):
> > > * Convince the victim to unpack and execute binary mail
> > > attachments
> >
> > Just 'cause they use linux, doesn't mean they won't open the
> > attachment
>> When you say "open", do you mean view or execute? "Open" is a concept
> from some luser-OS or other; I'm not used to hearing it on Linux.
Really ?
What do _you_ do with attached .ps .pdf .jpg .gif files in your
MUA ? You probably hand the binary file information off to an application
which processes it and displays it. What is the fundamental difference
between that, and 'executing' a binary. ( Other than the fact that
'executing' a binary requires a 'chmod +x' ).
So 'view'/'execute' are the same thing - (if you want to split hairs,
and I'm in a hair-splitting mood at the moment).
To answer your question then, "do I mean view OR execute". My
answer is "Yes" :-)
Executing a "briffney-nude.jpg" if the mime-type is
"application/x-shar", and briffney-nude.jpg is a shar
archive - might not even require the extract and
chmod +x step. Actually I just tested it with "application/x-sh"
and a single line shell script that ran 'touch /tmp/hacked-ya'.
My mailcap has an application/x-sh entry that says 'run sh'.
My /tmp now contains
luggage:/tmp> ls -lt
total 13884
-rw-r--r-- 1 chris chris 0 2004-02-04 11:38 hacked-ya
My MUA happily passed briffney-nude.jpg to metamail with the
mime type advertised in my attachment.
How long before someone writes a perl worm that impersonates a
.pdf document - and when you "launch/view/execute/open" the attachment,
the perl proggie goes and extracts the .pdf payload and
displays it - so you don't know any different - and the little
proggie continues to run in the background ? Imagine how many
people would open a .pdf file they are sent which purported to
be an insiders list of the files that SCO think they own.
How long will the MUA's continue to provide mime type details
on screen, how many people will read it ?
Postscript is a nice cute programming language ( if you want to
look at it that way ) - why not exploit it to do other things
than render images. So it doesn't have to be an attached
scripted language.
Are you assuming there will never be a buffer overflow in
acroread / xpdf / gimp / gview / ghostscript / qiv ?
>> Please give an example of a Linux MUA that will execute, without the
> user takingsome very specific "I want to run this executble I received
> in the mail" action, your choice of an executable attachment type.
> For your convenience here's a list of 122 Linux MUAs:
>> "MUAs" on http://linuxmafia.com/kb/Mail
Hang on a sec, and I'll add lusermua - which has that one specific
feature :-)
Given my test above, any MUA that passes briffney-nude.jpg
to metamail (with my application/x-sh mime-type ) will
suffice ( assuming a suitable mailcap entry ) -
I don't know how many of the 122 will do that, I'll leave it
as an exercise...
I don't know how many people are unfortunate to have scripted
languages in their .mailcap - but what happens if I try
print it using cups - it's mime.types does have loads of
scripted language entries.
How long before we end up with one mime.types file
on the system - so scripted attachment attacks can become
childs play ( or is that kiddie-scripted )
>> Don't forget to specify your choice of executable attachment type
> (PostScript, PDF, Flash, whatever) and the means by which it not only
> runs but also then cracks root on a modern, not-entirely-unmaintained
> Linux system without the user noticing and killing the process.
'running' and cracking root are two separate steps, the second of which
is not as impossible as you make it seem. It's entirely possible that
we have more local root exploits that remain hidden.
It's also entirely possible that the worm doesn't want or care for
root access - userlevel access is enough to do remote DDOS attacks.
Modify the users login scripts and you can be fairly well assured
that you will still be there after a reboot.
>> (The term "not-entirely-unmaintained" is intended to exclude the sort
> of example an alleged expert from SecurityFocus gave me of exploiting
> a RH 7.1 package that had been notoriously vulnerable for 2.5 years.
> Don't just say "local root escalation".)
"local root escalation" - local root escalation" -
"local root escalation" - local root escalation" -
"local root escalation" - local root escalation" -
:-)
>> --
> Cheers, Founding member of the Hyphenation Society, a
Shouldn't that be Hyphenation-Society ?
> grassroots-based, Rick Moen not-for-profit,
> locally-owned-and-operated, cooperatively-managed, rick at linuxmafia.com> modern-American-English-usage-improvement association.
> --
> Irish Linux Users' Group
>http://www.linux.ie/mailman/listinfo/ilug/>
--
Chris Higgins Cisco Learning Partner
Darach Technology Ltd tel: +353-1-6204370
email: chris.higgins at darach.ie fax: +353-1-6204371
http://www.darach.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
