Vulnerability Note VU#17215

SGI systems may execute commands embedded in mail messages

Original Release date: 13 Apr 2001 | Last revised: 10 Aug 2001

Overview

Some SGI systems produced circa 1998 allowed an intruder to send mail that would execute commands when the reader opened the message.

Description

On some SGI systems, Netscape is bundled with IRIX 6.3 and 6.4 and is used as the default web browser and mail reader. On these systems, the mailcap file has been extended to include the line

    application/x-sgi-exec; /usr/sysadm/bin/runexec %s; \
    description="System Administration Executable"


    application/x-sgi-task; /usr/sysadm/bin/runtask %s; \
    description="System Administration Task"

The mailcap file is an association between content-type specifications and programs or commands to interpret those types. The system mailcap file usually resides in /etc/mailcap, /usr/etc/mailcap, or /usr/local/etc/mailcap; however, the location of the mailcap file is configurable by system administrators. Additionally, individuals can have their own mailcap file in $HOME/.mailcap. The entries in users' personal mailcap file will override the entries in the system mailcap file on an entry-by-entry basis. That is, the effective mapping of content-types to programs is the combination of the system mailcap file and the user's own mailcap file. In the case of a conflict, the user's own mailcap file has precedence.

Although this description necessarily mentions Netscape Communicator, the vulnerability does not lie with Communicator. Any program that obeys the mailcap file, including metamail and programs that use metamail to provide MIME functionality, can be used to exploit this vulnerability. Netscape is mentioned because vulnerable systems ship with Netscape installed as the default mail reader and web browser.

Impact

Intruders may be able to execute arbitrary commands on vulnerable systems by inducing a victim to read appropriately crafted email messages and web pages. If privileged users use a vulnerable mail system to read a mail, an intruder may be able to gain root access.

Solution

Modify the mailcap file to remove the runexec and runtask associations.
Don't enable javascript by default.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SGIAffected-13 Apr 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Our thanks to Karl Stiefvater who reported this vulnerability to us.

This document was written by Shawn V. Hernan.

Other Information

  • CVE IDs: Unknown
  • Date Public: 02 Apr 98
  • Date First Published: 13 Apr 2001
  • Date Last Updated: 10 Aug 2001
  • Severity Metric: 65.81
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.