From owner-freebsd-security Tue May 30 0:31:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 514DD37BD4A; Tue, 30 May 2000 00:31:53 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id AAA56545; Tue, 30 May 2000 00:31:53 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 30 May 2000 00:31:53 -0700 (PDT) From: Kris Kennaway To: sen_ml@eccosys.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: <20000530113403A.1001@eccosys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 May 2000 sen_ml@eccosys.com wrote: > > As with the IMAP exploit, this will give people a shell, which they usually > > didn't have beforehand, when they are just popusers. > > since the problem has to w/ a pop command that's issued after > successful authentication, if the user already has shell access, then > there isn't anything to worry about, is there? or is the shell > running as some other user? I don't believe this (the text you replied to above) is true. As I understand it the vulnerability is that an attacker can send a email with a certain header which will be parsed by the pop server when a client downloads the email using the EUIDL command, at which point the buffer overflows and can execute arbitrary code as gid mail (or whatever the pop server runs as). So it's much worse than the imap hole. As a consolation, it's harder to exploit on FreeBSD because of a fix we made in the port, but it's still reportedly exploitable. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message