From owner-freebsd-security  Wed Jul 29 09:40:47 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA29921
          for freebsd-security-outgoing; Wed, 29 Jul 1998 09:40:47 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA29830
          for <security@FreeBSD.ORG>; Wed, 29 Jul 1998 09:40:20 -0700 (PDT)
          (envelope-from peter@netplex.com.au)
Received: from spinner.netplex.com.au (localhost [127.0.0.1])
	by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id AAA02315;
	Thu, 30 Jul 1998 00:38:50 +0800 (WST)
	(envelope-from peter@spinner.netplex.com.au)
Message-Id: <199807291638.AAA02315@spinner.netplex.com.au>
X-Mailer: exmh version 2.0.2 2/24/98
To: "Jan B. Koum " <jkb@best.com>
cc: Show Boat <showboat@hotmail.com>, security@FreeBSD.ORG
Subject: Re: Post qpopper trauma 
In-reply-to: Your message of "Tue, 28 Jul 1998 15:05:45 MST."
             <Pine.BSF.3.96.980728145822.23995E-100000@shell6.ba.best.com> 
Date: Thu, 30 Jul 1998 00:38:49 +0800
From: Peter Wemm <peter@netplex.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Jan B. Koum " wrote:
[..]
> >That it is popper scares me.  The time frame is appropriate, as the 
> >eggdrop was launched in the 7pm hour of Jul 24.  
> 
> 	As jkh said at one point: it is qpopper source which should scare
> you. :)

That's nothing.. Look at the cucipop source... :-]

I dare anybody to figure out why it's miscounting the message byte lengths
from the mailbox in under 5 minutes without tracing the flow of execution..

The cucipop code truely has to be seen to be believed......  eg:
=======
     }
   }   
  ;{ int namelen=sizeof peername;
     if(getpeername(fileno(sockin),(struct sockaddr*)&peername,&namelen)&&
      !debug&&(errno==ENOTSOCK||errno==EINVAL))
      { int serverfd,curfd; 
        signal(SIGHUP,SIG_IGN);signal(SIGPIPE,SIG_IGN);fclose(stdin);
        fclose(stdout);serverfd=socket(AF_INET,SOCK_STREAM,TCP_PROT);
        peername.sin_family=AF_INET;peername.sin_addr.s_addr=INADDR_ANY;
        peername.sin_port=htons(port);curfd=-1;
        setsockopt(serverfd,SOL_SOCKET,SO_REUSEADDR,&curfd,sizeof curfd);
        if(bind(serverfd,(struct sockaddr*)&peername,sizeof peername))
=======

I've heard 'you can write fortran code in any language'..  I suspect this 
is C written by an assembler programmer.   The handcrafted optimization 
reminds me of dark periods in my past of trying to save every last clock 
cycle and/or byte of memory.

However, I feel a lot more confident about the safety of cucipop than 
qpopper..

> >I've looked through the 'last' log extensively.  Again, nothing I cannot 
> >account for.  Anyone with potential root access (sudo) logged from an IP 
> >I can account for.  
> 
> 	Unless you have a syslog daemon log to another SECURE host, you
> have no idea if your logs have been modified by an attackers.

If you are running named, check that you've got 4.9.7 or later..

I've seen a couple of script tools now that specifically scan for the 
old vulnerable named on freebsd systems.

Have a good look at places like www.rootshell.com and use their stuff on
your system to see what can get in..  You might be suprised what old stuff 
you have around that's been forgotten about.

Cheers,
-Peter



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message