Date: Tue, 30 May 2000 00:31:53 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: sen_ml@eccosys.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit Message-ID: <Pine.BSF.4.21.0005300028250.52225-100000@freefall.freebsd.org> In-Reply-To: <20000530113403A.1001@eccosys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 May 2000 sen_ml@eccosys.com wrote:
> > As with the IMAP exploit, this will give people a shell, which they usually
> > didn't have beforehand, when they are just popusers.
>
> since the problem has to w/ a pop command that's issued after
> successful authentication, if the user already has shell access, then
> there isn't anything to worry about, is there? or is the shell
> running as some other user?
I don't believe this (the text you replied to above) is true. As I
understand it the vulnerability is that an attacker can send a email with
a certain header which will be parsed by the pop server when a client
downloads the email using the EUIDL command, at which point the buffer
overflows and can execute arbitrary code as gid mail (or whatever the pop
server runs as). So it's much worse than the imap hole. As a consolation,
it's harder to exploit on FreeBSD because of a fix we made in the port,
but it's still reportedly exploitable.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005300028250.52225-100000>