Pine, Pico, Pilot Program Overflow bug.

From: uexploit xeightwo (xploitat_private)
Date: Wed Nov 28 2001 - 03:54:09 PST

Next message: Valerio B.: "R: Synaptics TouchPad, strange packets."

Previous message: zeno: "Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting"
Next in thread: Jay D. Dyson: "Re: Pine, Pico, Pilot Program Overflow bug."
Reply: Jay D. Dyson: "Re: Pine, Pico, Pilot Program Overflow bug."
Reply: U dong-houn: "Re: Pine, Pico, Pilot Program Overflow bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Pine, Pico, Pilot Program Overflow bug.


 Could find overflow limitation of similar way in several versions 
 as result that I investigate pine program.

 What is PINE? Pine(Program for Internet News & Email) has powerful function 
 and various Configuration option as Unix mail program (Mail User Agent),
 that develop in University of Washington.

 With Pico (message composition editor) that is loved by text editer, 
 Pine includes Pilot (file browser) that is used as file browser.

 For further information, visit the Pine Information Center at
 URL: http://www.washington.edu/pine/
 download URL: ftp://ftp.cac.washington.edu/pine/

 Limitation that find:

 - Pico frame pointer overflow: --------------------------------------------------|
 
 URL: http://my.dreamwiz.com/hackingm/lecture/pico.txt

 Pico version that I did testing is 3.5. 

 Anyway, overflow limitation does not happen from pico 3.8 versions. 
 When editer comes out, persuade storage in other name. (file name is long) 

 Only, tested in linux 6.x box two servers that I'm using ... 
 Two servers' pico version could be all 3.5, 
 and execute all Rootshell as result that establish setuid bit. 

 Reference examination URL: http://my.dreamwiz.com/hackingm/test.txt 

 ---------------------------------------------------------------------------------| 

 Could find limitation that is very similar with above attack and happen as absurd.
 The program was Pilot and Pine.

 I received current edition through ftp service download.
 It consisted of binary.

 download URL: ftp://ftp.cac.washington.edu/pine/unix-bin/ 

 0x01. Pilot Program bug testing:

 [x82@testsub /tmp]$ ls -al pilot-bin.linux
 -rwxr-xr-x   1 x82      x82        493976 Nov 28 18:31 pilot-bin.linux
 [x82@testsub /tmp]$ ./pilot-bin.linux `perl -e 'print "x"x616'`
 [ File name too long: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ]
 
 [x82@testsub /tmp]$ ./pilot-bin.linux `perl -e 'print "x"x617'`
 Segmentation fault
 [x82@testsub /tmp]$ whereis pilot
 pilot: /usr/bin/pilot /usr/man/man1/pilot.1
 [x82@testsub /tmp]$  
 [x82@testsub /tmp]$ gdb -q /usr/bin/pilot
 (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x237'`
 [ File not found: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ]
 (no debugging symbols found)...t `perl -e 'print "x"x237'`
 Program received signal SIGSEGV, Segmentation fault.
 0x40057272 in ?? ()
 (gdb) info reg
 eax            0xffffff26       -218
 ecx            0x0      0
 edx            0x40144c60       1075072096
 ebx            0x78787878       2021161080
 esp            0xbffff808       0xbffff808
 ebp            0x4      0x4
 esi            0x78787878       2021161080
 edi            0x78787878       2021161080
 eip            0x40057272       0x40057272
 eflags         0x10246  66118
 cs             0x23     35
 ss             0x2b     43
 ds             0x2b     43
 es             0x2b     43
 fs             0x0      0
 gs             0x0      0
 (gdb)

 For reference, it is all same UW PILOT 2.0 versions.

 0xbffff4e0:     0x3a646e75      0x78782220      0x78787878      0x78787878
 ~~~ ... ~~~     0x78787878      0x78787878      0x78787878      0x78787878
 0xbffff5d0:     0x22787878      0xbffff800      0x0804a089      0xbffff8e8

 (gdb) x $esp
 0xbffff804:     0x40057270
 (gdb)

 (ebp) 0xbffff800 + 0x00000004 = 0xbffff804 (esp)
       0xbffff804 -------------> 0x40057270 (eip)

 0x02. Pine Program bug testing:

 Limitation did not happen in PINE 4.42 that is new version happily.
 The following is PINE 4.10 versions that I'm using.

 [x82@testsub /tmp]$ whereis pine
 pine: /usr/bin/pine /usr/man/man1/pine.1
 [x82@testsub /tmp]$ pine `perl -e 'print "x"x50000'`
 Segmentation fault
 [x82@testsub /tmp]$ 

 Let's test other version.
 The following tested in PINE 4.30 versions.

 bash$ gdb -q pine
 (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x50000'`
 (gdb) r
 Starting program: /usr/bin/pine `perl -e 'print "x"x50000'`

 (no debugging symbols found)...(no debugging symbols found)...
 Program received signal SIGSEGV, Segmentation fault.
 0x40295c99 in chunk_free (ar_ptr=0x40336f60, p=0x83488c0) at malloc.c:3121
 3121	malloc.c: No such file or directory.
 (gdb)

 Also, can see that Segfault gets up.
 Think impatiently that it is no time composure to me.
 Version did not afford to test since 4.30.

 It desires that other persons do. :-D


 Author: Xpl017Elz
 E-mail: szoahcat_private & xploitat_private
 Home: http://x82.i21c.net


 P.S: Always so ...
      Sorry. I gave up original English.
      Study English since next time. So, make understood other people.
      Thank you for reading unwise writing. ^-^*


-- 

Powered by Outblaze

Next message: Valerio B.: "R: Synaptics TouchPad, strange packets."
Previous message: zeno: "Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting"
Next in thread: Jay D. Dyson: "Re: Pine, Pico, Pilot Program Overflow bug."
Reply: Jay D. Dyson: "Re: Pine, Pico, Pilot Program Overflow bug."
Reply: U dong-houn: "Re: Pine, Pico, Pilot Program Overflow bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 09:27:00 PST