From owner-freebsd-security Wed Jul 8 19:41:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA08682 for freebsd-security-outgoing; Wed, 8 Jul 1998 19:41:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ritchie.loop.com (ritchie-inet.loop.com [207.211.60.70]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA08677; Wed, 8 Jul 1998 19:41:23 -0700 (PDT) (envelope-from cassy@loop.com) Received: from patty.loop.com (patty-inet.loop.com [207.211.60.69]) by ritchie.loop.com (8.8.7/8.8.7) with SMTP id TAA05617; Wed, 8 Jul 1998 19:38:10 -0700 (PDT) (envelope-from cassy@loop.com) Date: Wed, 8 Jul 1998 19:36:57 -0700 (PDT) From: "Cassandra M. Perkins" To: "Jan B. Koum " cc: Scot Elliott , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What version of qpopper is not vunerable to the hole? ---------------------------------------------------------------------------- | Cassandra M. Perkins | People usually get what's coming to | | Network Operations | them... unless it's been mailed. | | The Loop Internet Switch Co., LLC | -fortune | ---------------------------------------------------------------------------- On Sun, 5 Jul 1998, Jan B. Koum wrote: > > Where have you been all this time? Dont' you follow bugtraq? > Yes, Qualcomm had remote root shell buffer overflow "y3r 0wned" > type thingie. Exploits for both *bsd and linux systems were published. Get > cucipop or updated qualcomm pop server. > > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > ---------------------------------------+----------------------------------- > ICMP: What happens when you hack into a military network and they catch you. > > On Sun, 5 Jul 1998, Scot Elliott wrote: > > >Morning all. > > > >I caught someone last night with a root shell on our mail server. I > >traced it back to somewhere in the US, but unfortunately got locked out > >and the log files removed before I had time to fix it ;-( > > > >I shut the machine down remotely by mounting /usr over NFS and changing > >/usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > >;-) > > > >Anyway - the point is that is looks like some kind of buffer overflow in > >the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > >messages from popper in the log file before it was removed. There was an > >extra line in /etc/inetd.conf which ran a shell as root on some port I > >wasn't using (talk I think). So I'm guessing that the exploit allows > >anyone to run any command as root. Nice. Whomever it was was having a > >whale of a time with my C compiler for some reason... very dodgy. > > > >If I can find out the source of this then I'd like to follow it up. Does > >anyone have experience of chasing this sort of thing from across the US > >border? Also, of course, everyone should check their popper version. > > > >Cheers > > > > > >Yours - Scot. > > > > > >----------------------------------------------------------------------------- > >Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 > >PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 > >----------------------------------------------------------------------------- > >Public key available by finger at: finger scot@poptart.org > > or at: http://www.poptart.org/pgpkey.html > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message