From owner-freebsd-security Sun Jul 5 03:50:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA22276 for freebsd-security-outgoing; Sun, 5 Jul 1998 03:50:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA22209; Sun, 5 Jul 1998 03:49:59 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id DAA15669; Sun, 5 Jul 1998 03:48:31 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 5 Jul 1998 03:48:30 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Scot Elliott cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where have you been all this time? Dont' you follow bugtraq? Yes, Qualcomm had remote root shell buffer overflow "y3r 0wned" type thingie. Exploits for both *bsd and linux systems were published. Get cucipop or updated qualcomm pop server. -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." ---------------------------------------+----------------------------------- ICMP: What happens when you hack into a military network and they catch you. On Sun, 5 Jul 1998, Scot Elliott wrote: >Morning all. > >I caught someone last night with a root shell on our mail server. I >traced it back to somewhere in the US, but unfortunately got locked out >and the log files removed before I had time to fix it ;-( > >I shut the machine down remotely by mounting /usr over NFS and changing >/usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? >;-) > >Anyway - the point is that is looks like some kind of buffer overflow in >the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... >messages from popper in the log file before it was removed. There was an >extra line in /etc/inetd.conf which ran a shell as root on some port I >wasn't using (talk I think). So I'm guessing that the exploit allows >anyone to run any command as root. Nice. Whomever it was was having a >whale of a time with my C compiler for some reason... very dodgy. > >If I can find out the source of this then I'd like to follow it up. Does >anyone have experience of chasing this sort of thing from across the US >border? Also, of course, everyone should check their popper version. > >Cheers > > >Yours - Scot. > > >----------------------------------------------------------------------------- >Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 >PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 >----------------------------------------------------------------------------- >Public key available by finger at: finger scot@poptart.org > or at: http://www.poptart.org/pgpkey.html > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message