The Pine MUA up to and including v4.10 contains a security hole that allows a malicious remote attacker to potentially execute arbitrary code, resulting in possibility of root compromise. Exploit code included.
3054c916fc2bce91bd674955b51935253d8747420055d286dc452841681903dd The hhp presents...
The hhp-pine remote exploit advisory.
6/22/99
By: elaich aka LoopHole of the hhp.
http://hhp.hemp.net/
#---------------------------------------------------------#
A few months ago I found a bigger problem with the
charset bug then imagined. With a uuencode/uudecode
method in the charset, and an index.html of a site, it's
possible to run any program/script wanted to on the remote
system. When the email is read it launches lynx -source
and grabs the index.html which is then uudecoded and ran.
This includes root and non-root users infected. Many big
servers run pine, and having fingerd running, most of the
time allows us complete access to get every username on the
server, which then is simple to send the infected emails to
each user.
We have tested this on our own systems with full success.
These operating systems include BSD, Linux, IRIX, AIX, SCO,
and SunOS.
I'm sure this will be fixed in the newer version along
with the patch already made for the current version.
hhp-pine.tar is available to download at our site,
http://hhp.hemp.net/.
The current pine 4.10 patch is available to download at
http://www.geek-girl.com/bugtraq/1999_1/0532.html
Jobs/Probs/Bugs/Etc. -> hhp@hhp.hemp.net
#---------------------------------------------------------#
-elaich
-----------------------------------------
elaich of the hhp. hhp-1999(c)
Email: hhp@hhp.hemp.net
Web: http://hhp.hemp.net/
Phone: 713-451-6972
hhp-ms: hhp.hemp.net, port:7777, pass:hhp
-----------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.0 for non-commercial use <www.pgp.com>
mQGiBDcl8CwRBAD7xCp+A5ORiRzMLS4mPstL1aJadSCXSGyNKEZZ6kZwdO3YhLCf
2vkeJF0OGe8KRfd8LRxP0f/3syg7lfH77m0OP8NXeoOHD48T8K4Mabp2WEJmUW0r
J6op94LjFUwqNqYuOa+bVULrotZY6iWlxBWunltu9wrqgP22RVtKAu0PVwCg/2SS
rYoDCNTH4dlzNcVcza5XuhMEALbmuKISbjeOqsVETYYMdQfr0M/m1YfztjJ2tDS7
bGfOCFpQUFLyCUt/FHHmlInXQWUSVCgjkp0/giFoY9dX+4IB8wLgfu68BOZM5fft
I5mxI0vyBSke2kHQTqf3vQ5Yveg6gIB8WW9Pi+MAwLMS3+Hmrar+4GCUOqe9w3yi
u1q3BADcAM3VkORpkifjK8pWex1fdfvGmLBX5PBuCexl5dpeXdVC+Ktncis9u4yh
5f/PI/g/Uk4T2D/nF5PA4tSkNvRJaPVZCXjFRfc4K+rzQxuYRePwXFgaHSk9cDnd
XBq5JM6iXLBGFIJpbbwWkftuFOaJLXdP/DqDaXkjbWXLbH9nN7QhZWxhaWNoIG9m
IGhocC4gPGhocEBoaHAuaGVtcC5uZXQ+iQBLBBARAgALBQI3JfAsBAsDAgEACgkQ
bSmqkM1thIxvkQCeIEUYJTwF5nC+T9DUcUqStqpwtiQAoIzw9fqSB026Q+w0CGWe
BPX9LD5ruQINBDcl8DMQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB
p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh
V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr
5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4
XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf
q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/oCoABrcAodA+Qw
0QOzptm6arxtaRte4a6ZQs+N4Y63+S5oKBz4/atHGGIqgcxCUaaPCxfcqRMoz6Tw
ZhxOKe3/xKA+qPRfLP19P3nHcTLZqa/orvohDu235OQHBd5Mi6sr2MUcUL1WfsU7
fPZEjwu6d3MuXpjJUeFzNezJzIbXNzqFAVQawVH6lV+xGfqjD0zceGFGALvvGVxL
ANdmCzqjE1LFbqf1Zdd04lKYKSglX4PFz3Ly/jzi22GFxMuGf6ud4R80wUC0zBKO
RZHX3jPqjrqfbY9dq1vpBNDEugOYPqv3/lNlkoxUzKhJCZLPUcbQQs+BuNUUcRW9
dEkl71kuiQBGBBgRAgAGBQI3JfAzAAoJEG0pqpDNbYSMFgIAoMUE0SGIfqg0oj9e
oY9AHDAScmZtAKDgKF7STtRwB4KJ6/Q9HC3gUgGBbA==
=GJ0e
-----END PGP PUBLIC KEY BLOCK-----
------------------------------------------------------------------
Date: Fri, 25 Jun 1999 12:18:27 -0700
From: John D. Hardin <jhardin@WOLFENET.COM>
To: BUGTRAQ@netspace.org
Subject: Re: hhp: Remote pine exploit.
On Tue, 22 Jun 1999, Elaich Of Hhp wrote:
> A few months ago I found a bigger problem with the
> charset bug then imagined. With a uuencode/uudecode
> method in the charset, and an index.html of a site, it's
> possible to run any program/script wanted to on the remote
> system. When the email is read it launches lynx -source
> and grabs the index.html which is then uudecoded and ran.
> This includes root and non-root users infected. Many big
> servers run pine, and having fingerd running, most of the
> time allows us complete access to get every username on the
> server, which then is simple to send the infected emails to
> each user.
> We have tested this on our own systems with full success.
> These operating systems include BSD, Linux, IRIX, AIX, SCO,
> and SunOS.
> I'm sure this will be fixed in the newer version along
> with the patch already made for the current version.
> hhp-pine.tar is available to download at our site,
> http://hhp.hemp.net/.
>
> The current pine 4.10 patch is available to download at
> http://www.geek-girl.com/bugtraq/1999_1/0532.html
Since this is a variant on the command-line-in-a-MIME-header exploit
that was described earlier, it is defanged by the procmail sanitizer.
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Efficiency can magnify good, but it magnifies evil just as well.
So, we should not be surprised to find that modern electronic
communication magnifies stupidity as *efficiently* as it magnifies
intelligence.
-- Robert A. Matern
-----------------------------------------------------------------------
76 days until 9/9/99
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed