[13550] in bugtraq
Re: remote root qmail-pop with vpopmail advisory and exploit with
daemon@ATHENA.MIT.EDU (iv0)
Mon Jan 24 23:33:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <388BD67D.43E0FD4D@inter7.com>
Date: Sun, 23 Jan 2000 22:35:09 -0600
Reply-To: iv0 <kbo@INTER7.COM>
From: iv0 <kbo@INTER7.COM>
X-To: Adam McKenna <adam-qmail@flounder.net>
To: BUGTRAQ@SECURITYFOCUS.COM
I recommend upgrading to the latest version of vpopmail which fixes
the exploit. Pick up the current stable version:
http://www.inter7.com/vpopmail/
vchkpw - which authenticates a user with information from qmail-pop
up was storing the information in a staticly defined buffer. There
was no buffer over run checking done. Current stable version now
checks for buffer overruns in several places. A security
audit of the code is being done. Which it sorely needs.
Ken Jones
http://www.inter7.com/
Adam McKenna wrote:
>
> In that case, what would you recommend?
>
> --Adam
>
> On Sun, Jan 23, 2000 at 10:53:31PM -0500, Russell Nelson wrote:
> > > 5. Recommendation
> > >
> > > Impose the 40 character limitation specified by RFC1939 into qmail.
> > > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
> >
> > I don't recommend applying that patch. Every line of it is wrong. It
> > makes qmail-popup less secure, by inserting a call to syslog(), which
> > is a security disaster. It also sucks in the string library, which
> > includes the well-known security hole sprintf().
> >
> > --
> > -russ nelson <sig@russnelson.com> http://russnelson.com
> > Crynwr sells support for free software | PGPok | "Ask not what your country
> > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
> > Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
> >
