From hhp@NS.SUSPEND.NET Fri Jun 25 22:00:42 1999 From: Elaich Of Hhp Resent-From: cult hero To: BUGTRAQ@netspace.org Resent-To: jericho@attrition.org Date: Tue, 22 Jun 1999 13:04:14 -0400 Subject: hhp: Remote pine exploit. The hhp presents... The hhp-pine remote exploit advisory. 6/22/99 By: elaich of the hhp. http://hhp.hemp.net/ #---------------------------------------------------------# A few months ago I found a bigger problem with the charset bug then imagined. With a uuencode/uudecode method in the charset, and an index.html of a site, it's possible to run any program/script wanted to on the remote system. When the email is read it launches lynx -source and grabs the index.html which is then uudecoded and ran. This includes root and non-root users infected. Many big servers run pine, and having fingerd running, most of the time allows us complete access to get every username on the server, which then is simple to send the infected emails to each user. We have tested this on our own systems with full success. These operating systems include BSD, Linux, IRIX, AIX, SCO, and SunOS. I'm sure this will be fixed in the newer version along with the patch already made for the current version. hhp-pine.tar is available to download at our site, http://hhp.hemp.net/. The current pine 4.10 patch is available to download at http://www.geek-girl.com/bugtraq/1999_1/0532.html Jobs/Probs/Bugs/Etc. -> hhp@hhp.hemp.net #---------------------------------------------------------# -elaich ----------------------------------------- elaich of the hhp. hhp-1999(c) Email: hhp@hhp.hemp.net Web: http://hhp.hemp.net/ Phone: 713-451-6972 hhp-ms: hhp.hemp.net, port:7777, pass:hhp ----------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 6.0 for non-commercial use mQGiBDcl8CwRBAD7xCp+A5ORiRzMLS4mPstL1aJadSCXSGyNKEZZ6kZwdO3YhLCf 2vkeJF0OGe8KRfd8LRxP0f/3syg7lfH77m0OP8NXeoOHD48T8K4Mabp2WEJmUW0r J6op94LjFUwqNqYuOa+bVULrotZY6iWlxBWunltu9wrqgP22RVtKAu0PVwCg/2SS rYoDCNTH4dlzNcVcza5XuhMEALbmuKISbjeOqsVETYYMdQfr0M/m1YfztjJ2tDS7 bGfOCFpQUFLyCUt/FHHmlInXQWUSVCgjkp0/giFoY9dX+4IB8wLgfu68BOZM5fft I5mxI0vyBSke2kHQTqf3vQ5Yveg6gIB8WW9Pi+MAwLMS3+Hmrar+4GCUOqe9w3yi u1q3BADcAM3VkORpkifjK8pWex1fdfvGmLBX5PBuCexl5dpeXdVC+Ktncis9u4yh 5f/PI/g/Uk4T2D/nF5PA4tSkNvRJaPVZCXjFRfc4K+rzQxuYRePwXFgaHSk9cDnd XBq5JM6iXLBGFIJpbbwWkftuFOaJLXdP/DqDaXkjbWXLbH9nN7QhZWxhaWNoIG9m IGhocC4gPGhocEBoaHAuaGVtcC5uZXQ+iQBLBBARAgALBQI3JfAsBAsDAgEACgkQ bSmqkM1thIxvkQCeIEUYJTwF5nC+T9DUcUqStqpwtiQAoIzw9fqSB026Q+w0CGWe BPX9LD5ruQINBDcl8DMQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr 5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4 XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/oCoABrcAodA+Qw 0QOzptm6arxtaRte4a6ZQs+N4Y63+S5oKBz4/atHGGIqgcxCUaaPCxfcqRMoz6Tw ZhxOKe3/xKA+qPRfLP19P3nHcTLZqa/orvohDu235OQHBd5Mi6sr2MUcUL1WfsU7 fPZEjwu6d3MuXpjJUeFzNezJzIbXNzqFAVQawVH6lV+xGfqjD0zceGFGALvvGVxL ANdmCzqjE1LFbqf1Zdd04lKYKSglX4PFz3Ly/jzi22GFxMuGf6ud4R80wUC0zBKO RZHX3jPqjrqfbY9dq1vpBNDEugOYPqv3/lNlkoxUzKhJCZLPUcbQQs+BuNUUcRW9 dEkl71kuiQBGBBgRAgAGBQI3JfAzAAoJEG0pqpDNbYSMFgIAoMUE0SGIfqg0oj9e oY9AHDAScmZtAKDgKF7STtRwB4KJ6/Q9HC3gUgGBbA== =GJ0e -----END PGP PUBLIC KEY BLOCK-----