Date: Wed, 8 Jul 1998 19:36:57 -0700 (PDT) From: "Cassandra M. Perkins" <cassy@loop.com> To: "Jan B. Koum " <jkb@best.com> Cc: Scot Elliott <scot@planet-three.com>, freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server Message-ID: <Pine.BSF.3.96.980708193602.23741O-100000@patty.loop.com> In-Reply-To: <Pine.BSF.3.96.980705034608.15271A-100000@shell6.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
What version of qpopper is not vunerable to the hole? ---------------------------------------------------------------------------- | Cassandra M. Perkins | People usually get what's coming to | | Network Operations | them... unless it's been mailed. | | The Loop Internet Switch Co., LLC | -fortune | ---------------------------------------------------------------------------- On Sun, 5 Jul 1998, Jan B. Koum wrote: > > Where have you been all this time? Dont' you follow bugtraq? > Yes, Qualcomm had remote root shell buffer overflow "y3r 0wned" > type thingie. Exploits for both *bsd and linux systems were published. Get > cucipop or updated qualcomm pop server. > > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > ---------------------------------------+----------------------------------- > ICMP: What happens when you hack into a military network and they catch you. > > On Sun, 5 Jul 1998, Scot Elliott wrote: > > >Morning all. > > > >I caught someone last night with a root shell on our mail server. I > >traced it back to somewhere in the US, but unfortunately got locked out > >and the log files removed before I had time to fix it ;-( > > > >I shut the machine down remotely by mounting /usr over NFS and changing > >/usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > >;-) > > > >Anyway - the point is that is looks like some kind of buffer overflow in > >the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > >messages from popper in the log file before it was removed. There was an > >extra line in /etc/inetd.conf which ran a shell as root on some port I > >wasn't using (talk I think). So I'm guessing that the exploit allows > >anyone to run any command as root. Nice. Whomever it was was having a > >whale of a time with my C compiler for some reason... very dodgy. > > > >If I can find out the source of this then I'd like to follow it up. Does > >anyone have experience of chasing this sort of thing from across the US > >border? Also, of course, everyone should check their popper version. > > > >Cheers > > > > > >Yours - Scot. > > > > > >----------------------------------------------------------------------------- > >Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 > >PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 > >----------------------------------------------------------------------------- > >Public key available by finger at: finger scot@poptart.org > > or at: http://www.poptart.org/pgpkey.html > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980708193602.23741O-100000>