Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-++-> [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] sup <= 0.14.1 (on non Darwin systems) sup <= 0.13.2 (on non Darwin systems) http://supmua.org [ Vendor communication ] 2013-10-28 Send vulnerability details to sup maintainer 2013-10-28 Maintainer proposes fix 2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1] 2013-10-29 Release of this advisory [ Description ] Observe in sup/lib/sup/message_chunks.rb: def view_default! path ## please see note in write_to_disk on important usage ## of quotes to avoid remote command injection. case RbConfig::CONFIG['arch'] when /darwin/ cmd = "open #{path}" else cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}" end debug "running: #{cmd.inspect}" BufferManager.shell_out(cmd) $? == 0 end Here @content_type is attacker controlled and not further sanitized. By this a forged content type of an email attachment can trigger a command injection. [ Example ] For convenience the email delivering this file serves as an example. When viewing this attachment in a vulnerable version of sup the content type being "text/'`id>/tmp/whatsup`'pwn" will generate a file "whatsup" in the /tmp directory. [ Solution ] Upgrade to version 0.14.1.1 or 0.13.2.1 [ References ] [0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175 [1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html [ end of file ]