[12789] in bugtraq
Re: serious Qpopper 3.0 vulnerability
daemon@ATHENA.MIT.EDU (Dan Groscost)
Wed Dec 1 12:40:46 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.991130125657.2426C-100000@apollo.bblink.net>
Date: Tue, 30 Nov 1999 13:00:44 -0500
Reply-To: Dan Groscost <dan@APOLLO.BBLINK.NET>
From: Dan Groscost <dan@APOLLO.BBLINK.NET>
X-To: Mixter <mixter@NEWYORKOFFICE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.04.9911300056540.6421-300000@aviation.net>
Using offset 1 with your exploit will prompt a root shell with version
3.0b18.
Regards, Phone: (440)953-1702
Dan Groscost Fax: (440)953-0826
Systems Administrator E-Mail: dan@bblink.net,
B&B Data-Link
On Tue, 30 Nov 1999, Mixter wrote:
>
> Greetings,
>
> There is a remote buffer overflow in the qpop 3.0 server code
> that can lead to remote root compromise. Exploit attached.
>
> Vulnerable versions are all versions of qpop 3.0b,
> affected operating systems are _all_ systems that run it.
> Versions 2.52 and 2.53 do not contain this bug.
> The latest version available is 3.0b20, which is vulnerable,
> along with all previous 3.0 versions.
>
> I advise everyone running qpop3.0b servers to shut down the server
> IMMEDIATELY by disabling the entry in inetd.conf and then downgrading
> to v2.53 or another program until an official patch has been released.
>
> Details: The buffer overflow(s) are present in pop_msg.c (sounds familiar..)
> starting at line 68. All configurations and different builds seem to be
> vulnerable, as either vsprintf or sprintf are used, which both do not check
> bounds on the input buffers for each argument.
>
> Exploiting: The overflow code should not contain characters 0x0c/x17/x20,
> because it would get interpreted as more than one argument and hence fail.
>
> Patching: I included a small patch. You should only use inofficial patches
> if you totally need to use version 3.0, otherwise downgrade and wait for a
> patch from Qualcomm. IF you patch this by yourself, please consider that
> the buffer pointer CHANGES and the buffer is about 30 bytes LESS than the
> defined MAXLINELEN!!
>
> PS: The installation file suggests to run qpopper without tcpd, e.g.:
> pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
> I would NOT suggest doing it that way. Use:
> pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s
> instead. At least for me it works behind a tcp wrapper, and that way,
> you can use access control and every connection _attempt_ gets logged.
>
>
> Mixter
>
> ________________________
> mixter@newyorkoffice.com
> members.tripod.com/mixtersecurity
>
