From owner-freebsd-isp  Sun Jul  5 03:03:28 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA16660
          for freebsd-isp-outgoing; Sun, 5 Jul 1998 03:03:28 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from freebie.lemis.com (freebie.lemis.com [139.130.136.133] (may be forged))
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA16649;
          Sun, 5 Jul 1998 03:03:02 -0700 (PDT)
          (envelope-from grog@freebie.lemis.com)
Received: (from grog@localhost)
	by freebie.lemis.com (8.9.0/8.9.0) id TAA19346;
	Sun, 5 Jul 1998 19:32:50 +0930 (CST)
Message-ID: <19980705193250.N18970@freebie.lemis.com>
Date: Sun, 5 Jul 1998 19:32:50 +0930
From: Greg Lehey <grog@lemis.com>
To: Scot Elliott <scot@planet-three.com>, freebsd-isp@FreeBSD.ORG,
        freebsd-security@FreeBSD.ORG
Subject: Re: Security Alert: Qualcomm POP Server
References: <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i
In-Reply-To: <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>; from Scot Elliott on Sun, Jul 05, 1998 at 10:14:58AM +0100
WWW-Home-Page: http://www.lemis.com/~grog
Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia
Phone: +61-8-8388-8286
Fax: +61-8-8388-8725
Mobile: +61-41-739-7062
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sunday,  5 July 1998 at 10:14:58 +0100, Scot Elliott wrote:
> Morning all.
> 
> I caught someone last night with a root shell on our mail server.  I
> traced it back to somewhere in the US, but unfortunately got locked out
> and the log files removed before I had time to fix it ;-(
> 
> I shut the machine down remotely by mounting /usr over NFS and changing
> /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh?
> ;-)
> 
> Anyway - the point is that is looks like some kind of buffer overflow in
> the POP daemon that ships with FreeBSD 2.2.6.  I noticed lots of ^P^P^P...
> messages from popper in the log file before it was removed.  There was an
> extra line in /etc/inetd.conf which ran a shell as root on some port I
> wasn't using (talk I think).  So I'm guessing that the exploit allows
> anyone to run any command as root.  Nice.  Whomever it was was having a
> whale of a time with my C compiler for some reason... very dodgy.
> 
> If I can find out the source of this then I'd like to follow it up.  Does
> anyone have experience of chasing this sort of thing from across the US
> border?  Also, of course, everyone should check their popper version.

Yes, it looks as if your assessment was right.  The problem was fixed
on June 28.

Greg
-- 
See complete headers for address and phone numbers
finger grog@lemis.com for PGP public key

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message