Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 27 Jun 1998 05:17:48 -0700 (PDT)
From:      Jason Godsey <godsey@godsey.net>
To:        isp@FreeBSD.ORG
Cc:        current@FreeBSD.ORG
Subject:   !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT (fwd)
Message-ID:  <Pine.BSF.3.96.980627051733.18856A-100000@shaw.fidalgo.net>

next in thread | raw e-mail | index | archive | help


--
Jason Godsey - godsey@godsey.net - http://www.godsey.net/

---------- Forwarded message ----------
Date: Sat, 27 Jun 1998 00:58:24 -0400
From: Seth McGann <smm@WPI.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT

Its come to my attention that systems around the internet are being
exploited using a new remote overflow in Qualcomm's Popper server.  Well,
lets clear a few things up:

1.  The working exploit was stolen from my development account,
subsequently MANY sites were cracked in short order.  Much of Efnet was
compromised as power crazed script kiddies gained root access on IRCOP
boxes, giving themselves O-lines.

2.  This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far.
Other systems are most certainly vulnerable.  Linux does not appear
vulnerable.  To test, simply send the sever several thousand characters and
see if it crashed.  Check the return address to see if it matches.

3.  Due to massive exploitation the proper authorities have most likely
been notified already.  This is a bit of an emergency.

4.  You will NOT get the "exploit" from me, don't ask.  If you think your
"eleet" enough, do it yourself.  I admit I had some help, but it took a
while to figure out.

5.  The most obvious offender is the vsprintf() on line 66 of pop_msg.c.

6.  If you have a problem with my style, I'm sorry.  I'm angry at both
myself and the members of #conflict who I hold directly responsible for
this breach.  I will not name names, the offenders know who they are.

7.  When I have my head together I will post a patch tomorrow if one is not
available by then.

8.  For now, disable qpopper or choose another solution till qpopper is
secured.

Thank you.



Seth M. McGann / smm@wpi.edu        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980627051733.18856A-100000>