From owner-freebsd-security  Wed May 19 21:22:54 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 198E714D1A
	for <freebsd-security@FreeBSD.ORG>; Wed, 19 May 1999 21:22:52 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.iserver.com; Wed, 19 May 1999 22:22:48 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1)
	id xma019804; Wed, 19 May 99 22:22:41 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id WAA15649; Wed, 19 May 1999 22:22:03 -0600 (MDT)
Date: Wed, 19 May 1999 22:22:02 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: "Andrew G. Russell" <arussell@tyr.agrknives.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: attack or failure
In-Reply-To: <199905200403.XAA16431@tyr.agrknives.com>
Message-ID: <Pine.BSF.3.96.990519221004.15485B-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 19 May 1999, Andrew G. Russell wrote:

> This system will be upgraded to 2.2.8, but I sure would like some clue as 
> to how it happened.

Were you running a POP or IMAP server?  If so, what version?  There are
well-known and quite easily exploited holes in the University of
Washington IMAP2bis and IMAP4 servers and the Qualcomm POP server, and
exploits are publically available and in widespread use.  Each exploit
gives a remote attacker an instant root shell on your system.

You mention using sendmail 8.8.4, which I also recall had an exploitable
buffer overflow in the MIME decoding code, which in theory could also be
possible avenue of remote attack, though I am not aware of any public
exploits for this hole.  Now if the attack could have been initiated
locally by a user with shell access on your system, there are many other
known holes in versions of FreeBSD as old as 2.1.5, such as the suidperl
buffer overflow, the rdist buffer overflow, the procfs hole, or the lpr
buffer overflow, to name a few.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message