SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#17215

SGI systems may execute commands embedded in mail messages

Overview

Some SGI systems produced circa 1998 allowed an intruder to send mail that would execute commands when the reader opened the message.

I. Description

 On some SGI systems, Netscape is bundled with IRIX 6.3 and 6.4 and is used as the default web browser and mail reader. On these systems, the mailcap file has been extended to include the line

    application/x-sgi-exec; /usr/sysadm/bin/runexec %s; \
    description="System Administration Executable"

    application/x-sgi-task; /usr/sysadm/bin/runtask %s; \
    description="System Administration Task"

The mailcap file is an association between content-type specifications and programs or commands to interpret those types. The system mailcap file usually resides in /etc/mailcap, /usr/etc/mailcap, or /usr/local/etc/mailcap; however, the location of the mailcap file is configurable by system administrators. Additionally, individuals can have their own mailcap file in $HOME/.mailcap. The entries in users' personal mailcap file will override the entries in the system mailcap file on an entry-by-entry basis. That is, the effective mapping of content-types to programs is the combination of the system mailcap file and the user's own mailcap file. In the case of a conflict, the user's own mailcap file has precedence.

Although this description necessarily mentions Netscape Communicator, the vulnerability does not lie with Communicator. Any program that obeys the mailcap file, including metamail and programs that use metamail to provide MIME functionality, can be used to exploit this vulnerability. Netscape is mentioned because vulnerable systems ship with Netscape installed as the default mail reader and web browser.

II. Impact

Intruders may be able to execute arbitrary commands on vulnerable systems by inducing a victim to read appropriately crafted email messages and web pages. If privileged users use a vulnerable mail system to read a mail, an intruder may be able to gain root access.

III. Solution

Modify the mailcap file to remove the runexec and runtask associations.
Don't enable javascript by default.

Systems Affected

VendorStatusDate Updated
SGIVulnerable13-Apr-2001

References

http://www.cert.org/vendor_bulletins/VB-98.03.sgi_mailcap
ftp://sgigate.sgi.com/security/19980403-02-PX.sgi_mailcap

Credit

Our thanks to Karl Stiefvater who reported this vulnerability to us.

This document was written by Shawn V. Hernan.

Other Information

Date Public04/02/1998
Date First Published04/13/2001 11:19:48 AM
Date Last Updated08/10/2001
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric65.81
Document Revision9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader