Escape sequences in mail input enabling remote code execution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mailutils (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The mail tool from mailutils executes commands read from stdin if the line begins with the escape sequence ~! or ~| as documented here:
https:/
Before GNU mailutils 3.13 this also applies / applied to non-interactive uses of mail, which may lead to remote code execution. This caused CVE-2021-32749 in fail2ban, described here:
https:/
The issue was fixed in mailutils upstream here:
https:/
Ubuntu versions up to (including) 21.10 still contain an unpatched mailutils package. I could reproduce the issue with this command from the fail2ban security advisory on Ubuntu 20.04:
printf "RCE: next line will execute command\n~! echo RCE is here\n" | mail -s "RCE" "$mail_address"
Going by the changelogs, Ubuntu's fail2ban packages up to 21.04 are also unpatched. Debian patched this issue in fail2ban 0.11.2-2 (at least that's my interpretation of "Fix a problem with mail" in the changelog a few days before the fail2ban security advisory release, combined with the following bug report linked below) and reverted that patch in fail2ban 0.11.2-5 because it caused problems with bsd-mailx and they had mailutils 3.13 by then:
https:/
I propose fixing this issue in mailutils for impish and older. jammy already has mailutils 3.13 with the upstream patch.
Note:
I confirmed the proof of concept from the fail2ban advisory (the `printf | mail` above) worked on focal and didn't work on jammy. I didn't personally try to trigger this through fail2ban. I don't have an old enough system with fail2ban currently set up and don't even use it's mail features, but thought I should report this anyhow after stumbling upon it on the fail2ban GitHub pages.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res