+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Open Source Security http://www.opensourcesecurity.com 11-2002 Bug Advisory Author: BuRn-X +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Application: Pine Version: 4.44(Higher ?) Type: Local Description: Well There appears to be a exploitable bug in version 4.44 of the mail client Pine. Although this application does not seem to be suid on any linux distribution it is still important to obtain fixes and updates for this bug. The bug exists in the application argumet for the pine configuration file.The application immediatly segment faults and crashes. Demonstration: root@darkstar:~# gdb /usr/bin/pine GNU gdb 5.2 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (no debugging symbols found)... (gdb) r -x %n Starting program: /usr/bin/pine -x %n (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x40243200 in _IO_vfprintf (s=0x8398230, format=0x8396de0 "\n -- init_pinerc --\n\nGlobal config \"/usr/lib/pine/pine.conf\" is default\nPersonal config \"/root/.pinerc\" is default\nExceptions config \"%n\" comes from command line\n\n Global config: /usr/lib/pine/pi"..., ap=0xbfffe7e0) at vfprintf.c:1474 1474 vfprintf.c: No such file or directory. in vfprintf.c (gdb) info reg eax 0x80c0adc 135006940 ecx 0xbfffe7e0 -1073748000 edx 0x8398230 137986608 ebx 0x40314e58 1076973144 esp 0xbfffe194 0xbfffe194 ebp 0xbfffe79c 0xbfffe79c esi 0x86 134 edi 0x8396de0 137981408 eip 0x40243200 0x40243200 eflags 0x10292 66194 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x23 35 fioff 0x4004a312 1074045714 foseg 0x2b 43 fooff 0xbffff4ec -1073744660 ---Type to continue, or q to quit--- fop 0x39d 925 xmm0 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} xmm1 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} xmm2 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} xmm3 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} xmm4 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} xmm5 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} xmm6 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} xmm7 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}} mxcsr 0x1f80 8064 orig_eax 0xffffffff -1 (gdb) bt #0 0x40243200 in _IO_vfprintf (s=0x8398230, format=0x8396de0 "\n -- init_pinerc --\n\nGlobal config \"/usr/lib/pine/pine.conf\" is default\nPersonal config \"/root/.pinerc\" is default\nExceptions config \"%n\" comes from command line\n\n Global config: /usr/lib/pine/pi"..., ap=0xbfffe7e0) at vfprintf.c:1474 #1 0x4024b90a in fprintf (stream=0x8398230, format=0x8396de0 "\n -- init_pinerc --\n\nGlobal config \"/usr/lib/pine/pine.conf\" is default\nPersonal config \"/root/.pinerc\" is default\nExceptions config \"%n\" comes from command line\n\n Global config: /usr/lib/pine/pi"...) at fprintf.c:32 #2 0x081504b9 in strcpy () at ../sysdeps/generic/strcpy.c:31 #3 0x4021017d in __libc_start_main (main=0x814fcd0 , argc=3, ubp_av=0xbffff914, init=0x804aa1c <_init>, fini=0x8218c10 <_fini>, rtld_fini=0x4000a534 <_dl_fini>, stack_end=0xbffff90c) at ../sysdeps/generic/libc-start.c:129 Final Analysis: ;)~