Write to arbitrary files (owned by your UID) from pine
|Description:||The Pine 3.95 & 3.96 attachment viewer will overwrite any file owned by the user running pine in his directory. You can put arbitrary data in this file. This "hole" is obviously only useful if Pine is being used as a restricted shell (there are numerous other problems with this, too).|
|Author:||Jesse Brown <bextreme@POBOX.COM>|
|Compromise:||break out of restricted pine "shell"|
|Vulnerable Systems:||Systems offering pine 3.95 & 3.96 restricted accounts to untrusted users |
|Date:||20 August 1997 |
Date: Wed, 20 Aug 1997 23:27:32 -0700
From: Jesse Brown <bextreme@POBOX.COM>
Subject: Pine Mail Client Bug
Hello Everyone. I would like to announce that I have discovered what appears
to be a rather serious bug in the Pine Mail Client, that allows a user of
Pine to overwrite ANY file, with ANY permissions or ownerships in their home
directory (including sub-directorys).
This bug can be used to overwrite a protected login script, or to overwrite
a resource file (like .pinerc). This can be of serious concern to those that
use Pine as a shell for users, as this can allow them to modify or create
files that could be used to gain shell access. (Such as .rhosts, .forward,
All that is required to exploit this apparent bug is to open up a message
attachment using the Pine attachment viewer, and save the attachment.
If you want to overwrite ANY file anywhere in the users home directory,
just enter the file name and select overwrite. This does not work outside
of the users home directory BTW.
The interesting thing about this is that it appears to completly bypass any
filesystem level security (permissions, owner, etc.). Also, when pine
overwrites the file it sets the mode to 622 (-rw-r--r--) and the owner to
the current user. (The pine executable IS NOT setuid root.)
I have verified this behavior on Pine version 3.95 & 3.96 on Linux systems.
So far I have not been able to find a version or system that is not
I do not currently know of any patch or fix for this behavior.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:
[ Nmap |
Sec Tools |
Mailing Lists |
Site News |