From owner-freebsd-security Sat Jun 27 11:36:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA12025 for freebsd-security-outgoing; Sat, 27 Jun 1998 11:36:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA12010 for ; Sat, 27 Jun 1998 11:36:18 -0700 (PDT) (envelope-from karl@Mars.mcs.net) Received: from Mars.mcs.net (karl@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id NAA24833; Sat, 27 Jun 1998 13:36:15 -0500 (CDT) Received: (from karl@localhost) by Mars.mcs.net (8.8.7/8.8.2) id NAA00629; Sat, 27 Jun 1998 13:36:14 -0500 (CDT) Message-ID: <19980627133614.42227@mcs.net> Date: Sat, 27 Jun 1998 13:36:14 -0500 From: Karl Denninger To: "Vadim V. Chepkov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT References: <35951273.6488@kharkiv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: <35951273.6488@kharkiv.net>; from Vadim V. Chepkov on Sat, Jun 27, 1998 at 06:40:35PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Declare the variable static, among other things. Now if you overrun it you cannot corrupt the return stack, as the variable is allocated out of bss at program init, not off the stack as an automatic variable. That's a valid (if messy) "quick fix" for these kinds of problems. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost On Sat, Jun 27, 1998 at 06:40:35PM +0300, Vadim V. Chepkov wrote: > Jordan K. Hubbard wrote: > > > > > > I've already committed a slightly more intelligent fix to this > > problem. Thanks! > > > > But it doesn't work > > -r-xr-xr-x 1 bin bin 45056 Jun 27 18:26 /usr/local/libexec/popper > > Jun 27 18:28:33 host popper[9784]: @host.foo.bar: -ERR Unknown command: > "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee > Jun 27 18:28:33 host /kernel: pid 9784 (popper), uid 0: exited on signal > 11 > > -- > > Kind regards, > Vadim V. Chepkov > Kharkiv Online ISP > ------------------------------------------------------ > Vadim V. Chepkov, Kharkiv State Polytechnic University > 21 Frunze Str., Kharkiv, Ukraine, 310002 > Tel: +380 572 400279 Fax: +380 572 400592 > e-mail: vvc@kharkiv.net http://www.kharkiv.net/~vvc > ------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message