Write to arbitrary files (owned by your UID) from pine

Summary
Description:The Pine 3.95 & 3.96 attachment viewer will overwrite any file owned by the user running pine in his directory. You can put arbitrary data in this file. This "hole" is obviously only useful if Pine is being used as a restricted shell (there are numerous other problems with this, too).
Author:Jesse Brown <bextreme@POBOX.COM>
Compromise:break out of restricted pine "shell"
Vulnerable Systems:Systems offering pine 3.95 & 3.96 restricted accounts to untrusted users
Date:20 August 1997
Details


Date: Wed, 20 Aug 1997 23:27:32 -0700
From: Jesse Brown <bextreme@POBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Pine Mail Client Bug

 Hello Everyone. I would like to announce that I have discovered what appears
to be a rather serious bug in the Pine Mail Client, that allows a user of
Pine to overwrite ANY file, with ANY permissions or ownerships in their home
directory (including sub-directorys).

 This bug can be used to overwrite a protected login script, or to overwrite
a resource file (like .pinerc). This can be of serious concern to those that
use Pine as a shell for users, as this can allow them to modify or create
files that could be used to gain shell access. (Such as .rhosts, .forward,
etc.)

 All that is required to exploit this apparent bug is to open up a message
attachment using the Pine attachment viewer, and save the attachment.
 If you want to overwrite ANY file anywhere in the users home directory,
just enter the file name and select overwrite. This does not work outside
of the users home directory BTW.

 The interesting thing about this is that it appears to completly bypass any
filesystem level security (permissions, owner, etc.). Also, when pine
overwrites the file it sets the mode to 622 (-rw-r--r--) and the owner to
the current user. (The pine executable IS NOT setuid root.)

 I have verified this behavior on Pine version 3.95 & 3.96 on Linux systems.
So far I have not been able to find a version or system that is not
susceptable.

 I do not currently know of any patch or fix for this behavior.

   Sincerly,
     Jesse Brown

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]