hhp-pine_adv0004.txt

1999-08-17T00:00:00
ID PACKETSTORM:11781
Type packetstorm
Reporter hhp
Modified 1999-08-17T00:00:00

Description

                                        
                                            ` The hhp presents...  
  
The hhp-pine remote exploit advisory.  
6/22/99   
By: elaich aka LoopHole of the hhp.  
http://hhp.hemp.net/  
#---------------------------------------------------------#  
  
A few months ago I found a bigger problem with the  
charset bug then imagined. With a uuencode/uudecode  
method in the charset, and an index.html of a site, it's  
possible to run any program/script wanted to on the remote  
system. When the email is read it launches lynx -source  
and grabs the index.html which is then uudecoded and ran.  
This includes root and non-root users infected. Many big  
servers run pine, and having fingerd running, most of the  
time allows us complete access to get every username on the  
server, which then is simple to send the infected emails to  
each user.  
We have tested this on our own systems with full success.  
These operating systems include BSD, Linux, IRIX, AIX, SCO,  
and SunOS.  
I'm sure this will be fixed in the newer version along  
with the patch already made for the current version.  
hhp-pine.tar is available to download at our site,  
http://hhp.hemp.net/.  
  
The current pine 4.10 patch is available to download at  
http://www.geek-girl.com/bugtraq/1999_1/0532.html  
  
  
Jobs/Probs/Bugs/Etc. -> hhp@hhp.hemp.net  
#---------------------------------------------------------#  
  
-elaich  
  
-----------------------------------------  
elaich of the hhp. hhp-1999(c)  
Email: hhp@hhp.hemp.net  
Web: http://hhp.hemp.net/   
Phone: 713-451-6972  
hhp-ms: hhp.hemp.net, port:7777, pass:hhp  
-----------------------------------------  
  
-----BEGIN PGP PUBLIC KEY BLOCK-----  
Version: PGPfreeware 6.0 for non-commercial use <www.pgp.com>  
mQGiBDcl8CwRBAD7xCp+A5ORiRzMLS4mPstL1aJadSCXSGyNKEZZ6kZwdO3YhLCf  
2vkeJF0OGe8KRfd8LRxP0f/3syg7lfH77m0OP8NXeoOHD48T8K4Mabp2WEJmUW0r  
J6op94LjFUwqNqYuOa+bVULrotZY6iWlxBWunltu9wrqgP22RVtKAu0PVwCg/2SS  
rYoDCNTH4dlzNcVcza5XuhMEALbmuKISbjeOqsVETYYMdQfr0M/m1YfztjJ2tDS7  
bGfOCFpQUFLyCUt/FHHmlInXQWUSVCgjkp0/giFoY9dX+4IB8wLgfu68BOZM5fft  
I5mxI0vyBSke2kHQTqf3vQ5Yveg6gIB8WW9Pi+MAwLMS3+Hmrar+4GCUOqe9w3yi  
u1q3BADcAM3VkORpkifjK8pWex1fdfvGmLBX5PBuCexl5dpeXdVC+Ktncis9u4yh  
5f/PI/g/Uk4T2D/nF5PA4tSkNvRJaPVZCXjFRfc4K+rzQxuYRePwXFgaHSk9cDnd  
XBq5JM6iXLBGFIJpbbwWkftuFOaJLXdP/DqDaXkjbWXLbH9nN7QhZWxhaWNoIG9m  
IGhocC4gPGhocEBoaHAuaGVtcC5uZXQ+iQBLBBARAgALBQI3JfAsBAsDAgEACgkQ  
bSmqkM1thIxvkQCeIEUYJTwF5nC+T9DUcUqStqpwtiQAoIzw9fqSB026Q+w0CGWe  
BPX9LD5ruQINBDcl8DMQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB  
p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh  
V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr  
5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4  
XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf  
q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/oCoABrcAodA+Qw  
0QOzptm6arxtaRte4a6ZQs+N4Y63+S5oKBz4/atHGGIqgcxCUaaPCxfcqRMoz6Tw  
ZhxOKe3/xKA+qPRfLP19P3nHcTLZqa/orvohDu235OQHBd5Mi6sr2MUcUL1WfsU7  
fPZEjwu6d3MuXpjJUeFzNezJzIbXNzqFAVQawVH6lV+xGfqjD0zceGFGALvvGVxL  
ANdmCzqjE1LFbqf1Zdd04lKYKSglX4PFz3Ly/jzi22GFxMuGf6ud4R80wUC0zBKO  
RZHX3jPqjrqfbY9dq1vpBNDEugOYPqv3/lNlkoxUzKhJCZLPUcbQQs+BuNUUcRW9  
dEkl71kuiQBGBBgRAgAGBQI3JfAzAAoJEG0pqpDNbYSMFgIAoMUE0SGIfqg0oj9e  
oY9AHDAScmZtAKDgKF7STtRwB4KJ6/Q9HC3gUgGBbA==  
=GJ0e  
-----END PGP PUBLIC KEY BLOCK-----  
  
------------------------------------------------------------------  
  
Date: Fri, 25 Jun 1999 12:18:27 -0700  
From: John D. Hardin <jhardin@WOLFENET.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: hhp: Remote pine exploit.  
  
On Tue, 22 Jun 1999, Elaich Of Hhp wrote:  
  
> A few months ago I found a bigger problem with the  
> charset bug then imagined. With a uuencode/uudecode  
> method in the charset, and an index.html of a site, it's  
> possible to run any program/script wanted to on the remote  
> system. When the email is read it launches lynx -source  
> and grabs the index.html which is then uudecoded and ran.  
> This includes root and non-root users infected. Many big  
> servers run pine, and having fingerd running, most of the  
> time allows us complete access to get every username on the  
> server, which then is simple to send the infected emails to  
> each user.  
> We have tested this on our own systems with full success.  
> These operating systems include BSD, Linux, IRIX, AIX, SCO,  
> and SunOS.  
> I'm sure this will be fixed in the newer version along  
> with the patch already made for the current version.  
> hhp-pine.tar is available to download at our site,  
> http://hhp.hemp.net/.  
>  
> The current pine 4.10 patch is available to download at  
> http://www.geek-girl.com/bugtraq/1999_1/0532.html  
  
Since this is a variant on the command-line-in-a-MIME-header exploit  
that was described earlier, it is defanged by the procmail sanitizer.  
  
--  
John Hardin KA7OHZ jhardin@wolfenet.com  
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5  
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76  
-----------------------------------------------------------------------  
Efficiency can magnify good, but it magnifies evil just as well.  
So, we should not be surprised to find that modern electronic  
communication magnifies stupidity as *efficiently* as it magnifies  
intelligence.  
-- Robert A. Matern  
-----------------------------------------------------------------------  
76 days until 9/9/99  
  
`