(no subject)

From: Chris Wilson (cmw32at_private)
Date: Mon Sep 07 1998 - 04:18:28 PDT

Next message: Matt Watson: "Re: your mail"

Previous message: Eivind Eklund: "Re: Reading read-protected devices in *BSD"
Next in thread: Simon Smith: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey people,

I've discovered a vulnerability in Pine, tested on version 3.95q, but
which probably applies to all versions up to 4.02. This vulnerability
allows users to bypass site policies and use Pine to run arbitrary
commands in the user's name. Many sites use site policies to disable this,
in order to prevent users from running arbitrary commands.

This vulnerability was reported to the authors last week, and they have
very rapidly responded by releasing a new version, 4.03, which they claim
fixes the bug. I haven't tested this for myself. The new version is
available from ftp://ftp.cac.washington.edu/pine/pine.tar.Z (source code).

The vulnerability is as follows: when setting up a printer, it is possible
to choose the "Personally selected print command" option. This allows you
to specify a command which Pine will run whenever it needs to print a
document. By changing the value of this setting, it is possible to have an
arbitrary command run for you when you print, say, an e-mail. Therefore,
system administrators usually disable this ability with an option in their
pine.conf.fixed file.

When the SA has done this, users cannot choose a custom print command for
themselves using Pine's Printer Setup. However, if they manually modify
their .pinerc file, adding a line such as:

  printer=test [] echo Hello there! > test

then this will override the Site Policies and, when a file is next printed
from Pine, the command will be executed in contravention to the Site
Policy.

I recommend that all systems which restrict users' ability to run
arbitrary commands and allow them to run Pine, should be upgraded to Pine
4.03.

Cheers, Chris.
   ___ __     _
 /'__// / ,__(_)_ Wilson <Chris.Wilsonat_private> ----------------- -
/ (_ / ,\/ _/ /_ \ Webmaster/SysAdmin/Timelord/BOFH/Programmer --------- -
\__//_/_/_//_/___/ "1998 isn't MCMXCVIII. The Romans would have used MIIM"

DISCLAIMER: This message is not real. Nothing ever happened. I am a figment
of your imagination. I do not exist. Bill Gates is good. Bill Gates is God.
Buy Microsoft - everything will be all right. Trust in Bill.

Next message: Matt Watson: "Re: your mail"
Previous message: Eivind Eklund: "Re: Reading read-protected devices in *BSD"
Next in thread: Simon Smith: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:13 PDT