From owner-freebsd-security  Sun Jul 19 17:01:02 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA13609
          for freebsd-security-outgoing; Sun, 19 Jul 1998 17:01:02 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from wraith.cs.uow.edu.au (root@wraith.cs.uow.edu.au [130.130.64.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA13601
          for <security@FreeBSD.ORG>; Sun, 19 Jul 1998 17:00:59 -0700 (PDT)
          (envelope-from ncb05@uow.edu.au)
Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12])
	by wraith.cs.uow.edu.au (8.9.1/8.9.1) with SMTP id KAA05354;
	Mon, 20 Jul 1998 10:00:30 +1000 (EST)
Date: Mon, 20 Jul 1998 10:00:29 +1000 (EST)
From: Nicholas Charles Brawn <ncb05@uow.edu.au>
X-Sender: ncb05@wumpus.its.uow.edu.au
To: Brett Glass <brett@lariat.org>
cc: security@FreeBSD.ORG
Subject: Re: Why is there no info on the QPOPPER hack?
In-Reply-To: <199807191709.LAA28734@lariat.lariat.org>
Message-ID: <Pine.SOL.3.96.980720094756.27930A-100000@wumpus.its.uow.edu.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 19 Jul 1998, Brett Glass wrote:

> Our system has been penetrated via a buffer overflow exploit in Qualcomm's
> QPOPPER, as obtained from the FreeBSD ports library. But there's no
> advisory about this on FreeBSD's site.... In fact, we learned of the
> exploit only because the cracker was sloppy.
> 
> We need advice on resecuring the system and preventing future incidents of
> this kind. CERT has been utterly unresponsive; they seem to have ignored
> our two e-mails asking for help. Any help we can get from members of the
> FreeBSD community would be MUCH appreciated.

CERT typically ignores requests for help unless you are a very large
company. Small ISP's and businesses connected to the internet are unlikely
to receive personal assistance.

However, CERT has put out an advisory on the qpopper vulnerability:
ftp.cert.org:/pub/cert_advisories/CA-98.08.qpopper_vul

>From the vendor information page:
"Versions of QUALCOMM qpopper prior to 2.5 are vulnerable. QUALCOMM
recommends upgrading to the most recent version..."

CERT also has a paper on recovering from incidents which is accessable
from their web page and ftp site.

And finally, two other sites you should keep an eye on:
http://www.freebsd.org/security/security.html (FreeBSD Security Guide)
http://www.watson.org/fbsd-hardening/ (FreeBSD Hardening Project)

> 
> --Brett Glass

Good luck,

Nick :)

--
Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick 
Key fingerprint =  DE 30 33 D3 16 91 C8 8D  A7 F8 70 03 B7 77 1A 2A
"When in doubt, ask someone wiser than yourself..." -unknown



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message