[13009] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [lucid@TERRA.NEBULA.ORG: qpop3.0b20 and below - notes and

daemon@ATHENA.MIT.EDU (Maurycy Prodeus)
Fri Dec 17 12:53:11 1999

Message-Id:  <19991217130838.5137.qmail@tenet.pl>
Date:         Fri, 17 Dec 1999 13:08:38 -0000
Reply-To: z33d@TENET.PL
From: Maurycy Prodeus <z33d@TENET.PL>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

> These bug only affected 3.0 betas.
Bullshit ...;P
In pop_euidl() in file pop_uidl.c (qpop-2.53) :

    } else {

        sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
        if (nl = index(buffer, NEWLINE)) *nl = 0;
        sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp));
        return (pop_msg (p,POP_SUCCESS, buffer)); <-- *here*
      }

It looks good , but .... ;P

pop_msg(POP *p, int stat, const char *format,...)

So this function need format and some other data.
Luckly for the greatest Qualcomm qpop changes privs so we have only gid mail ,
but if we have a non-shell account , we can "get" a shell ...
Ofcourse it's hard to exploit . ( probably we must change some ret ...and put
there address of shellcode but there is a few problems ... but general i think
it is POSSIBLE :] )

-= SOLUTION =-

I wrote patch on qpop-2.53 ...

-> cut here <-

--- pop_uidl.c	Thu Oct  7 02:02:44 1999
+++ pop_uidl.c	Sat Oct  9 20:34:00 1999
@@ -59,7 +59,7 @@

 	sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
         if (nl = index(buffer, NEWLINE)) *nl = 0;
-	return (pop_msg (p,POP_SUCCESS, buffer));
+	return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
       }
     } else {
 	/* yes, we can do this */
@@ -149,7 +149,7 @@
 	sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
         if (nl = index(buffer, NEWLINE)) *nl = 0;
 	sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp));
-	return (pop_msg (p,POP_SUCCESS, buffer));
+	return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
       }
     } else {
 	/* yes, we can do this */

-> cut here <-

- Maurycy Prodeus , z33d@tenet.pl -
*******************************************************************************
*
* z33d@tenet.pl
*
* o Czyj to motor ?
* x To nie motor to Harley ...
* o Wiec czyj to Harley ?
* x Zeda ...
* <-- pulp fiction
*
*******************************************************************************
<--> I wish I was your SYSADM , just call :)
home help back first fref pref prev next nref lref last post