Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: pinepol.txt

Pine 3.95q - 4.02 allow users to bypass site policies and execute arbitrary commands.





[ http://www.rootshell.com/ ]

Date:         Mon, 7 Sep 1998 12:18:28 +0100
From:         Chris Wilson <cmw32@HERMES.CAM.AC.UK>

Hey people,

I've discovered a vulnerability in Pine, tested on version 3.95q, but
which probably applies to all versions up to 4.02. This vulnerability
allows users to bypass site policies and use Pine to run arbitrary
commands in the user's name. Many sites use site policies to disable this,
in order to prevent users from running arbitrary commands.

This vulnerability was reported to the authors last week, and they have
very rapidly responded by releasing a new version, 4.03, which they claim
fixes the bug. I haven't tested this for myself. The new version is
available from ftp://ftp.cac.washington.edu/pine/pine.tar.Z (source code).

The vulnerability is as follows: when setting up a printer, it is possible
to choose the "Personally selected print command" option. This allows you
to specify a command which Pine will run whenever it needs to print a
document. By changing the value of this setting, it is possible to have an
arbitrary command run for you when you print, say, an e-mail. Therefore,
system administrators usually disable this ability with an option in their
pine.conf.fixed file.

When the SA has done this, users cannot choose a custom print command for
themselves using Pine's Printer Setup. However, if they manually modify
their .pinerc file, adding a line such as:

  printer=test [] echo Hello there! > test

then this will override the Site Policies and, when a file is next printed
from Pine, the command will be executed in contravention to the Site
Policy.

I recommend that all systems which restrict users' ability to run
arbitrary commands and allow them to run Pine, should be upgraded to Pine
4.03.

Cheers, Chris.
   ___ __     _
 /'__// / ,__(_)_ Wilson <Chris.Wilson@fitz.cam.ac.uk> ----------------- -
/ (_ / ,\/ _/ /_ \ Webmaster/SysAdmin/Timelord/BOFH/Programmer --------- -
\__//_/_/_//_/___/ "1998 isn't MCMXCVIII. The Romans would have used MIIM"

DISCLAIMER: This message is not real. Nothing ever happened. I am a figment
of your imagination. I do not exist. Bill Gates is good. Bill Gates is God.
Buy Microsoft - everything will be all right. Trust in Bill.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH