Bugtraq mailing list archives
Re: imapd/ipop3d coredump in slackware 3.4
From: dgriffi () ULTRIX6 CS CSUBAK EDU (Dave)
Date: Sun, 1 Feb 1998 23:33:47 -0800
On Mon, 2 Feb 1998, Peter van Dijk wrote:
[attic bug report nr. 1] While fooling around a little with NIS/YP (didn't get it completely working...) I ran into a bug in the imapd and ipop3d that come with slackware 3.4 (if you install the pine package). Earlier slackware versions will problably NOT suffer from this bug, because they did not include shadowing. When fed an unknown username, imapd and ipop3d will dump core:
[exploit snipped] Slackware 3.3 includes does include shadowing. Apparently, the stock ipop3d is not vunerable, but imapd is. thumper:/$ telnet thumper 110 Trying 127.0.0.1... Connected to thumper.woods.com. Escape character is '^]'. +OK thumper POP3 Server (Version 1.005h) ready at <Sun Feb 01 23:09:25 1998> user root +OK please send PASS command pass linux -ERR invalid usercode or password, please try again user john +OK please send PASS command pass doe -ERR invalid usercode or password, please try again quit +OK arthur POP3 Server (Version 1.005h) shutdown. Connection closed by foreign host. thumper:/$ ls -l core /bin/ls: core: No such file or directory thumper:/$ thumper:/$ telnet thumper imap2 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK thumper.woods.com IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:15:45 -0800 (PST) A001 LOGIN root linux A001 NO Bad LOGIN user name and/or password A002 LOGIN john doe Connection closed by foreign host. thumper:/$ ls -l core -rw------- 1 root root 282624 Feb 1 23:16 core thumper:/$ -- David Griffith dgriffi () ultrix6 cs csubak edu
Current thread:
- imapd/ipop3d coredump in slackware 3.4 Peter van Dijk (Feb 01)
- Re: imapd/ipop3d coredump in slackware 3.4 Peter van Dijk (Feb 01)
- Re: imapd/ipop3d coredump in slackware 3.4 Dave (Feb 01)
- AT&T crowds project d00mster () USA NET (Feb 02)