Date: Tue, 30 May 2000 16:52:32 +0900 From: sen_ml@eccosys.com To: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit Message-ID: <20000530165232H.1001@eccosys.com> In-Reply-To: <Pine.BSF.4.21.0005300028250.52225-100000@freefall.freebsd.org> References: <20000530113403A.1001@eccosys.com> <Pine.BSF.4.21.0005300028250.52225-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
From: Kris Kennaway <kris@FreeBSD.org> Subject: Re: QPOPPER: Remote gid mail exploit Date: Tue, 30 May 2000 00:31:53 -0700 (PDT) Message-ID: <Pine.BSF.4.21.0005300028250.52225-100000@freefall.freebsd.org> > On Tue, 30 May 2000 sen_ml@eccosys.com wrote: > > > > As with the IMAP exploit, this will give people a shell, which they usually > > > didn't have beforehand, when they are just popusers. > > > > since the problem has to w/ a pop command that's issued after > > successful authentication, if the user already has shell access, then > > there isn't anything to worry about, is there? or is the shell > > running as some other user? > > I don't believe this (the text you replied to above) is true. As I > understand it the vulnerability is that an attacker can send a email with > a certain header which will be parsed by the pop server when a client > downloads the email using the EUIDL command, at which point the buffer > overflows and can execute arbitrary code as gid mail (or whatever the pop > server runs as). So it's much worse than the imap hole. thanks a lot for the explanation. > As a consolation, it's harder to exploit on FreeBSD because of a fix > we made in the port, but it's still reportedly exploitable. i'm a bit confused here -- does this mean the current port is still vulnerable or that the port available at the time of the exploit announcement happened to be hard to exploit? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000530165232H.1001>