Re: Linux imapd remote vunerability.

inter (inter@BLUE.MISNET.COM)
Wed, 25 Jun 1997 01:54:29 -0500

I was waiting for something like this, typical bufferoverflow I am not
sure however if it exists in slackware, (most slackware boxes I have seen
dont even have imapd running default). Anyhow, RedHat 4.1 and under are
exploitable. Just kill imapd no real point in running
it anyhow.

On Tue, 24 Jun 1997 so1o@INSECURITY.ORG wrote:

> Hi,
>
> This may be really old news, but I haven't seen it here on BugTraq...
>
> Linux Systems running the imapd server daemon can be remotely exploited
> in a way that an attacker can gain root access to the system by changing
> the root password field to being blank, I am not sure on the EXACT
> details of this hole, and so I don't know the imapd versions that can be
> exploited in this way.
>
> I have enclosed the ONLY source for this exploit that I can find
> anywhere, I have heard there are alot of other versions, including one
> that spawns a root shell, I have this exploit in a precompiled version
> which I can safely say work (I have only tested it on a Red Hat
> machine), but I cannot obtain the source at this point for any other
> versions of the remote exploit code.

Well its a buffer overflow so anything stuck in the code will run as root

---Cut Code---

I believe even BSDI 3.0 runs the same version of imapd as is installed in
the RedHat Linux versions. BSDI 3.0 admins might want to check to see if
they are running imapd. I believe imapd is running default on RedHat Linux
as well as BSDI servers. Welp thats my 2 cents.

Kirby Boteler
AISC