``Has a Unix system using pine ever been exploited like Windows/Outlook?..'' Miles
---------
I think the short answer is yes. It can be done in principle using executable code in an e-mail attachment---say a shell script that is started when you use the pine attachment viewer to open the attachment and a command is executed that you or an administrator put in the mailcap or .pinerc file, say like `exec $*'... (joke)
I was curious about all this, so I looked up `pine exploits' Here is one I found at:
http://www.governmentsecurity.org/articles/HackingWebpages...
...
``...and now on to another exploit. I'm going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile.
Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile...''
But look at the very top, `By watching the process table with ps..'. This means you have already hacked in at the user level. What this particular exploit is after (I think) is the Pine process id for its rwx privileges and then proceeds from there.
A way into a unix system used to be through netscape with java enabled. A hostile website remotely executes a javascript in a visiting browser that opens a port on that user's system. For example, say the script starts ftpd (port 21/tcp) or tftp (port 69/tcp). Theoretically this java initiated ftp connection is for the user to download some file off the website. However, in this case the remote website can use the java initiated connection to reverse advantage and upload or download whatever the user has rw or rwx permission to do on his/her own system. Presumably the hostile website could also open ssh (port 22/tcp) or telnet (port 23/tcp) and work from there.
Other techniques as far as I can tell go after various daemons like lpd. An interesting one I found, exploits a memory stack overflow condition in lprm when lprm (print spooler) is dealing with a remote printer, or the rm= assigned in printcap. The method used (as far as I understand it) gets the lpd daemon on the tricked memory fault condition to pass the attacker's assembler code to the kernel to open a root shell for him---I guess on a remote terminal. Nice.
This didn't look like a kiddy script...
It seems to me that one interesting contradiction to `free' enterprise copyright protection and M$uck business paranoia is that with an open source OS, all the built-in security systems are completely understood (transparent via open source code) by the administrators responsible (and hackers), so these systems are relatively easy to modify, upgrade and maintain. You don't have to buy a contract with M$uck or wait on them for their proprietary and overpriced help, upgrades, and patches. The result is security holes, exploits, and attacks in open source are immediately posted on various news groups, usually with temporary fixes, soon followed with in-depth documentation, tested patches and installation instructions, often within a few days, sometimes within hours of discovery.
I have no idea how long it takes M$uck to even admit a problem, let alone issue patches and fixes. My guess from long ago experience with them as a nobody consumer would be weeks or months. Plus you have to pay them for their own security mistakes and code errors. Nice guys. Like paying for your own execution...
CG