Bugtraq mailing list archives
Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Mon, 8 Mar 1999 02:37:18 +0100
Summarizing the replies...
1. Overflow in CAC.Washington.EDU ipop3d 4.xx 2. Overflow in pine 4.xx (Linux)
Mark Crispin, on devel list: "...however, that only affects either an index or a stat buffer, neither of which is subsequently used. Furthermore, even if there was an overflow, it is impossible to use this to gain superuser access. This lock access is only done by a process after being logged in as the user." So he claims it is NOT exploitable. Not true. It IS exploitable, please just type 'gdb' and take a better look on what happens. While root privledges are dropped, anyone who thinks that ipop3d couldn't be exploited to gain any privledges, is wrong! Take a look on open file descriptors, Mark. Problem should be fixed in next release of IMAP package.
3. Lockfile vunerability in pine 4.xx (Linux) 4. Lockfile vunerability in ipop3d 4.xx
It has been addressed as 'negative value' problem. The problem is buggy negotiation protocol, not negative, positive or any other PID itself (disallowing negative values won't prevent attacker from killing choosen processes). So, as today, there's no chance for complete solution on /tmp mailbox locks.
5. Linux 2.x IPC vunerability
As Solar Designer said, there are 'beancounter' feature (or per-user limits, instead of per-process). Probably it will be implemented in 2.2.x kernels soon. As today, it's hard to control detached IPC pages.
7. Midnight Commander 4.x bugs (x2)
While Miguel de Icaza claims there's no known bugs in mc, Pavel Machek confirmed that there are still not fixed races. Thank you. _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Commander Michal Zalewski (Mar 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Michal Zalewski (Mar 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Pavel Machek (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Luca Berra (Apr 10)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 11)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Pavel Machek (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Michal Zalewski (Mar 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 05)
- Multiple WinGate Vulnerabilities[Tad late] Marc (Apr 05)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Stefan Rompf (Apr 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
- security hole (READ AS: security chasm) in ICQ-Webserver DaChronic (Apr 07)
- Re: security hole (READ AS: security chasm) in ICQ-Webserver sven () MSC-MEDIA COM (Apr 08)
- Bug in Winroute 3.04g Michael R. Rudel (Apr 08)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)