To add onto this, this can also be done using the spell checker, if you enter "/bin/sh" as your custom spell checker, then compose a message and in that message put "/bin/sh" as the content then run the checker by hitting ctrl-t, you will be prompted with a shell prompt. However this is useless on most systems as the user has a shell to being with. but on some systems they give out "pine accounts" having there default shell set to pine which gives them no shell access. but if they were to do the above they would get to the shell prompt. This has been tested on 3.96, and i imagine it has been fixed in 4.03 as long as the system addministror sets the default value as fixed. -- Matt Watson On Mon, 7 Sep 1998, Chris Wilson wrote: > Hey people, > > I've discovered a vulnerability in Pine, tested on version 3.95q, but > which probably applies to all versions up to 4.02. This vulnerability > allows users to bypass site policies and use Pine to run arbitrary > commands in the user's name. Many sites use site policies to disable this, > in order to prevent users from running arbitrary commands. > > This vulnerability was reported to the authors last week, and they have > very rapidly responded by releasing a new version, 4.03, which they claim > fixes the bug. I haven't tested this for myself. The new version is > available from ftp://ftp.cac.washington.edu/pine/pine.tar.Z (source code). > > The vulnerability is as follows: when setting up a printer, it is possible > to choose the "Personally selected print command" option. This allows you > to specify a command which Pine will run whenever it needs to print a > document. By changing the value of this setting, it is possible to have an > arbitrary command run for you when you print, say, an e-mail. Therefore, > system administrators usually disable this ability with an option in their > pine.conf.fixed file. > > When the SA has done this, users cannot choose a custom print command for > themselves using Pine's Printer Setup. However, if they manually modify > their .pinerc file, adding a line such as: > > printer=test [] echo Hello there! > test > > then this will override the Site Policies and, when a file is next printed > from Pine, the command will be executed in contravention to the Site > Policy. > > I recommend that all systems which restrict users' ability to run > arbitrary commands and allow them to run Pine, should be upgraded to Pine > 4.03. > > Cheers, Chris. > ___ __ _ > /'__// / ,__(_)_ Wilson <Chris.Wilsonat_private> ----------------- - > / (_ / ,\/ _/ /_ \ Webmaster/SysAdmin/Timelord/BOFH/Programmer --------- - > \__//_/_/_//_/___/ "1998 isn't MCMXCVIII. The Romans would have used MIIM" > > DISCLAIMER: This message is not real. Nothing ever happened. I am a figment > of your imagination. I do not exist. Bill Gates is good. Bill Gates is God. > Buy Microsoft - everything will be all right. Trust in Bill. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:15 PDT