Date: Sat, 27 Jun 1998 00:58:24 -0400
From: Seth McGann <[email protected]>
To: [email protected]Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
Its come to my attention that systems around the internet are being
exploited using a new remote overflow in Qualcomm's Popper server. Well,
lets clear a few things up:
1. The working exploit was stolen from my development account,
subsequently MANY sites were cracked in short order. Much of Efnet was
compromised as power crazed script kiddies gained root access on IRCOP
boxes, giving themselves O-lines.
2. This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far.
Other systems are most certainly vulnerable. Linux does not appear
vulnerable. To test, simply send the sever several thousand characters and
see if it crashed. Check the return address to see if it matches.
3. Due to massive exploitation the proper authorities have most likely
been notified already. This is a bit of an emergency.
4. You will NOT get the "exploit" from me, don't ask. If you think your
"eleet" enough, do it yourself. I admit I had some help, but it took a
while to figure out.
5. The most obvious offender is the vsprintf() on line 66 of pop_msg.c.
6. If you have a problem with my style, I'm sorry. I'm angry at both
myself and the members of #conflict who I hold directly responsible for
this breach. I will not name names, the offenders know who they are.
7. When I have my head together I will post a patch tomorrow if one is not
available by then.
8. For now, disable qpopper or choose another solution till qpopper is
secured.
Thank you.
Seth M. McGann / [email protected] "Security is making it
http://www.wpi.edu/~smm to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80