Bugtraq mailing list archives
Re: L0pht Advisory: IMAP4rev1 imapd server
From: kragen () DNACO NET (Kragen Sitaker)
Date: Thu, 9 Oct 1997 10:12:26 -0400
On Wed, 8 Oct 1997, Marc Slemko wrote:
On Wed, 8 Oct 1997, We got Food - Fuel - Ice-cold Beer - and X.509 certificates wrote:Scenario: It is possible to crash the imapd server in several possible places. Due to the lack of handling for the SIGABRT signal and the nature of the IMAP protocol in storing folders locally on the server; a core dump is produced in the users current directory. This core dump contains the password and shadow password files from the system.It should be noted that this only works on systems that allow a process that has changed UIDs since the last exec to core dump. Some, such as FreeBSD (and OpenBSD I would guess, and a dozen others), don't for exactly this reason. The same thing came up with ftpd a while back.
Now I know there have been some old security holes posted here on Bugtraq, but this is an extreme case. I quote from the source of the Unix kernel, version 6, out of the Lions book, on Sheet 40, copyright, J. Lions, ***1976***: /* * Create a core image on the file "core" * If you are looking for protection glitches, * there are probably a wealth of them here * when this occurs to a suid command. (Lines 4084 to 4088.) That's at least 21 years this security hole has been known and described in what's probably the most-read book among UNIX kernel hackers. Kragen
Current thread:
- Re: Possible weakness in LPD protocol Warner Losh (Oct 03)
- Re: Possible weakness in LPD protocol Brett Lymn (Oct 08)
- L0pht Advisory: IMAP4rev1 imapd server We got Food - Fuel - Ice-cold Beer - and X.509 certificates (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
- SNMP Insecurity Aleph One (Oct 08)
- Malicious Linux modules Runar Jensen (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Casper Dik (Oct 09)
- Security flaw in PGPverify of INN Lutz Donnerhacke (Oct 09)
- Re: L0pht Advisory: IMAP4rev1 imapd server Kragen Sitaker (Oct 09)
- Security flaw in Count.cgi (wwwcount) Razvan Dragomirescu (Oct 10)
- Huge security holes in Microsoft FP98 server extensions for Apache Marc Slemko (Oct 11)
- Re: Huge security holes in Microsoft FP98 server extensions for Aleph One (Oct 11)
- DOS PC FTP SERVER Efrain Torres Mejia (Oct 11)
- _very_ poor ISN generation on Ascend MAX (fwd) Marc Slemko (Oct 11)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
- Another way to exploit local classes in Java Andre L. Dos Santos (Oct 08)
- <Possible follow-ups>
- Re: Possible weakness in LPD protocol Oliver Friedrichs (Oct 03)
- Re: Possible weakness in LPD protocol Eivind Eklund (Oct 03)
- Re: Possible weakness in LPD protocol Doug Hughes (Oct 05)