Date: Sat, 27 Jun 1998 03:18:04 -0500 (CDT) From: Igor Roshchin <igor@physics.uiuc.edu> To: freebsd-security@FreeBSD.ORG Subject: (FWD) QPOPPER REMOTE ROOT EXPLOIT Message-ID: <199806270818.DAA19951@alecto.physics.uiuc.edu>
next in thread | raw e-mail | index | archive | help
This dumps core on a 2.2.5-RELEASE box.
After sending over 40 thousand of symbols I just kill -HUP the
connection to the popper, and it dumps the core.
I don't know how exploitable it though.
Anybody can come up with a quick patch ?
Thanks,
IgoR
>From owner-bugtraq@NETSPACE.ORG Sat Jun 27 01:32:44 1998
Return-Path: <owner-bugtraq@NETSPACE.ORG>
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
by alecto.physics.uiuc.edu (8.9.0/8.9.0) with ESMTP id BAA09012
for <igor@ALECTO.PHYSICS.UIUC.EDU>; Sat, 27 Jun 1998 01:32:43 -0500 (CDT)
Received: from unknown@netspace.org (port 24361 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96303-23463>; Sat, 27 Jun 1998 02:33:46 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 1429436 for BUGTRAQ@NETSPACE.ORG; Sat, 27 Jun 1998 02:31:20
-0400
Received: from brimstone.netspace.org (brimstone.netspace.org
[128.148.157.143]) by netspace.org (8.8.7/8.8.7) with ESMTP id
CAA06737 for <BUGTRAQ@NETSPACE.ORG>; Sat, 27 Jun 1998 02:30:07 -0400
Received: from unknown@netspace.org (port 24361 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <80634-23467>; Sat, 27 Jun 1998
02:32:05 -0400
Approved-By: aleph1@DFW.NET
Received: from musket.eliwhitney.org ([209.182.72.70]) by netspace.org
(8.8.7/8.8.7) with ESMTP id BAA28453 for <BUGTRAQ@netspace.org>; Sat,
27 Jun 1998 01:02:39 -0400
Received: from dell166 ([199.174.185.18]) by musket.eliwhitney.org (Netscape
Messaging Server 3.5) with SMTP id 373 for <BUGTRAQ@netspace.org>;
Sat, 27 Jun 1998 01:04:21 -0400
X-Sender: X-Mailer:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <19980627050419750.AAA323.373@dell166>
Date: Sat, 27 Jun 1998 00:58:24 -0400
Reply-To: Seth McGann <smm@WPI.EDU>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Seth McGann <smm@WPI.EDU>
Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
To: BUGTRAQ@NETSPACE.ORG
Status: RO
Its come to my attention that systems around the internet are being
exploited using a new remote overflow in Qualcomm's Popper server. Well,
lets clear a few things up:
1. The working exploit was stolen from my development account,
subsequently MANY sites were cracked in short order. Much of Efnet was
compromised as power crazed script kiddies gained root access on IRCOP
boxes, giving themselves O-lines.
2. This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far.
Other systems are most certainly vulnerable. Linux does not appear
vulnerable. To test, simply send the sever several thousand characters and
see if it crashed. Check the return address to see if it matches.
3. Due to massive exploitation the proper authorities have most likely
been notified already. This is a bit of an emergency.
4. You will NOT get the "exploit" from me, don't ask. If you think your
"eleet" enough, do it yourself. I admit I had some help, but it took a
while to figure out.
5. The most obvious offender is the vsprintf() on line 66 of pop_msg.c.
6. If you have a problem with my style, I'm sorry. I'm angry at both
myself and the members of #conflict who I hold directly responsible for
this breach. I will not name names, the offenders know who they are.
7. When I have my head together I will post a patch tomorrow if one is not
available by then.
8. For now, disable qpopper or choose another solution till qpopper is
secured.
Thank you.
Seth M. McGann / smm@wpi.edu "Security is making it
http://www.wpi.edu/~smm to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806270818.DAA19951>