+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Open Source Security
http://www.opensourcesecurity.com
11-2002 Bug Advisory
Author: BuRn-X
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Application: Pine
Version: 4.44(Higher ?)
Type: Local
Description:
Well There appears to be a exploitable bug in version 4.44 of the mail
client Pine. Although this application does not seem to be suid on any
linux distribution it is still important to obtain fixes and updates for
this bug. The bug exists in the application argumet for the pine
configuration file.The application immediatly segment faults and crashes.
Demonstration:
root@darkstar:~# gdb /usr/bin/pine
GNU gdb 5.2
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) r -x %n
Starting program: /usr/bin/pine -x %n
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x40243200 in _IO_vfprintf (s=0x8398230,
format=0x8396de0 "\n -- init_pinerc --\n\nGlobal config
\"/usr/lib/pine/pine.conf\" is default\nPersonal config \"/root/.pinerc\"
is default\nExceptions config \"%n\" comes from command line\n\n Global
config: /usr/lib/pine/pi"..., ap=0xbfffe7e0) at vfprintf.c:1474
1474 vfprintf.c: No such file or directory.
in vfprintf.c
(gdb) info reg
eax 0x80c0adc 135006940
ecx 0xbfffe7e0 -1073748000
edx 0x8398230 137986608
ebx 0x40314e58 1076973144
esp 0xbfffe194 0xbfffe194
ebp 0xbfffe79c 0xbfffe79c
esi 0x86 134
edi 0x8396de0 137981408
eip 0x40243200 0x40243200
eflags 0x10292 66194
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x23 35
fioff 0x4004a312 1074045714
foseg 0x2b 43
fooff 0xbffff4ec -1073744660
---Type <return> to continue, or q <return> to quit---
fop 0x39d 925
xmm0 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
xmm1 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
xmm2 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
xmm3 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
xmm4 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
xmm5 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
xmm6 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
xmm7 {f = {0x0, 0x0, 0x0, 0x0}} {f = {0, 0, 0, 0}}
mxcsr 0x1f80 8064
orig_eax 0xffffffff -1
(gdb) bt
#0 0x40243200 in _IO_vfprintf (s=0x8398230,
format=0x8396de0 "\n -- init_pinerc --\n\nGlobal config
\"/usr/lib/pine/pine.conf\" is default\nPersonal config \"/root/.pinerc\"
is default\nExceptions config \"%n\" comes from command line\n\n Global
config: /usr/lib/pine/pi"..., ap=0xbfffe7e0) at vfprintf.c:1474
#1 0x4024b90a in fprintf (stream=0x8398230,
format=0x8396de0 "\n -- init_pinerc --\n\nGlobal config
\"/usr/lib/pine/pine.conf\" is default\nPersonal config \"/root/.pinerc\"
is default\nExceptions config \"%n\" comes from command line\n\n Global
config: /usr/lib/pine/pi"...) at fprintf.c:32
#2 0x081504b9 in strcpy () at ../sysdeps/generic/strcpy.c:31
#3 0x4021017d in __libc_start_main (main=0x814fcd0 <strcpy+1066188>,
argc=3,
ubp_av=0xbffff914, init=0x804aa1c <_init>, fini=0x8218c10 <_fini>,
rtld_fini=0x4000a534 <_dl_fini>, stack_end=0xbffff90c)
at ../sysdeps/generic/libc-start.c:129
Final Analysis:
;)~