From owner-freebsd-security Mon May 29 19:34:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 8E52B37B50B for ; Mon, 29 May 2000 19:34:04 -0700 (PDT) (envelope-from sen_ml@eccosys.com) Received: (qmail 18987 invoked from network); 30 May 2000 02:29:49 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 30 May 2000 02:29:49 -0000 To: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit From: sen_ml@eccosys.com In-Reply-To: <20000529161403.H19887@vuurwerk.nl> References: <20000525160410I.1001@eccosys.com> <20000529161403.H19887@vuurwerk.nl> X-Mailer: Mew version 1.94.1 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000530113403A.1001@eccosys.com> Date: Tue, 30 May 2000 11:34:03 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Peter van Dijk Subject: Re: QPOPPER: Remote gid mail exploit Date: Mon, 29 May 2000 16:14:03 +0200 Message-ID: <20000529161403.H19887@vuurwerk.nl> > On Thu, May 25, 2000 at 04:04:10PM +0900, sen_ml@eccosys.com wrote: > [snip] > > > while patching and restarting a qpopper server locally, i started > > wondering...how much of a problem is this on a freebsd system where > > /var/mail or /var/spool/mail is not setgid mail? > > As with the IMAP exploit, this will give people a shell, which they usually > didn't have beforehand, when they are just popusers. since the problem has to w/ a pop command that's issued after successful authentication, if the user already has shell access, then there isn't anything to worry about, is there? or is the shell running as some other user? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message