Bugtraq mailing list archives
Pine security problem
From: lforbes () arsc edu (Liam O. Forbes)
Date: Tue, 10 Sep 1996 17:26:06 -0800
-----BEGIN PGP SIGNED MESSAGE----- This is in regards to the "fix" of the possible security problem in Pine < v3.95. Pine 3.95 does indeed check for symbolic links, now, before creating a mail lock file. However it has the same problem in another part of the program. I have verified the problem in Pine 3.95 & Pine 3.91 using Irix 5.3. I'll be looking into it on my Linux home system, but it's probably there too. While upgrading to the Pine 3.95, it was discovered that the alternate editor feature creates a file "/tmp/pico.pid" where pid is the id of the active Pine session. If you use the alternate editor feature, and a symbolic link exists with the desired name, the link isn't checked like the mail lock file is, and the editor dumps everything into the file pointed to by the symbolic link. This can lead to several possible security breaches via: 1. the ability to mangle a target file. 2. the ability to eavesdrop on composed messages. 3. (if you are really fancy) the ability to set up at least one bogus .rhosts entry by sending email to someone who responds to email by quoting entire files. There are probably several other things that can be done via this /tmp file problem (and have been). To see the exact problem: 1. set the editor variable in ~/.pinerc to something like /bin/vi. 2. start up pine 3. do a long listing of /tmp 4. start composing a message in pine, switch to the alternate editor via ^_ 5. do another long listing of /tmp 6. That "pico.###" file is the problem. As long as you are running the current pine session, anyone can create a link with that name and, at the least, capture whatever you write into your mail message. Finally, when you exit the alternate editor, it deletes the /tmp file If it was a link, the link gets deleted. No evidence of tampering remains. What about using random file names and checking if those exist? The current fix for the mail lock file seems like the work of a lazy programmer. Liam Forbes lforbes () arsc edu http://www.arsc.edu/~lforbes Box 756020 910 Yukon Dr. Suite 106 Fairbanks Ak 99775-6020 907-474-1898 fax: 907-474-5494 finger: Geek code & PGP pub key High Performance Computing Systems Programmer/Analyst I -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMjYUG3j93TwzW72NAQHiqAQAksEXmJpfPUvrZizEL9ZJ2V+XASY68rfJ SQXYrIg9Zrhi0xi/ZpJBEk6Zzdc16d+ccdXmE6w3z0Siqq8xnN5X3N90+ENL7CeV KHC0xfRHmDcIrs7KAbeBA9mCO0O28uY8j7fv9ELL4fxcnoS60fXL2Vmps8ii4eR6 I4PPC9IBoYw= =Sxqi -----END PGP SIGNATURE-----
Current thread:
- Pine security problem Liam O. Forbes (Sep 10)
- Re: [linux-security] Pine security problem Pascal A. Dupuis (Sep 12)
- Re: [linux-security] Pine security problem Ranaur, the Elven Warlock! (Sep 12)
- <Possible follow-ups>
- Re: Pine security problem Vince L. Reed (Sep 10)
- Re: [linux-security] Pine security problem Pascal A. Dupuis (Sep 12)