{"vuid":"VU#17215","idnumber":"17215","name":"SGI systems may execute commands embedded in mail messages","keywords":["security","netscape","irix","sgi","mailcap","mime","runexec","runtask"],"overview":"Some SGI systems produced circa 1998 allowed an intruder to send mail that would execute commands when the reader opened the message.","clean_desc":"On some SGI systems, Netscape is bundled with IRIX 6.3 and 6.4 and is used as the default web browser and mail reader. On these systems, the mailcap file has been extended to include the line application/x-sgi-exec; /usr/sysadm/bin/runexec %s; description=\"System Administration Executable\" application/x-sgi-task; /usr/sysadm/bin/runtask %s; description=\"System Administration Task\" The mailcap file is an association between content-type specifications and programs or commands to interpret those types. The system mailcap file usually resides in /etc/mailcap, /usr/etc/mailcap, or /usr/local/etc/mailcap; however, the location of the mailcap file is configurable by system administrators. Additionally, individuals can have their own mailcap file in $HOME/.mailcap. The entries in users' personal mailcap file will override the entries in the system mailcap file on an entry-by-entry basis. That is, the effective mapping of content-types to programs is the combination of the system mailcap file and the user's own mailcap file. In the case of a conflict, the user's own mailcap file has precedence. Although this description necessarily mentions Netscape Communicator, the vulnerability does not lie with Communicator. Any program that obeys the mailcap file, including metamail and programs that use metamail to provide MIME functionality, can be used to exploit this vulnerability. Netscape is mentioned because vulnerable systems ship with Netscape installed as the default mail reader and web browser.","impact":"Intruders may be able to execute arbitrary commands on vulnerable systems by inducing a victim to read appropriately crafted email messages and web pages. If privileged users use a vulnerable mail system to read a mail, an intruder may be able to gain root access.","resolution":"Modify the mailcap file to remove the runexec and runtask associations. Don't enable javascript by default.","workarounds":"","sysaffected":"","thanks":"Our thanks to Karl Stiefvater who reported this vulnerability to us.","author":"This document was written by Shawn V. Hernan.","public":["f","t","p",":","/","/","s","g","i","g","a","t","e",".","s","g","i",".","c","o","m","/","s","e","c","u","r","i","t","y","/","1","9","9","8","0","4","0","3","-","0","2","-","P","X",".","s","g","i","_","m","a","i","l","c","a","p"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"1998-06-23T20:04:40Z","publicdate":"1998-04-02T00:00:00Z","datefirstpublished":"2001-04-13T15:19:47Z","dateupdated":"2001-08-10T15:05:57Z","revision":10,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"19","cam_exploitation":"10","cam_internetinfrastructure":"10","cam_population":"15","cam_impact":"15","cam_easeofexploitation":"20","cam_attackeraccessrequired":"20","cam_scorecurrent":"65.8125","cam_scorecurrentwidelyknown":"67.5","cam_scorecurrentwidelyknownexploited":"84.375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":65.8125,"vulnote":null}