[20885] in bugtraq
Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
daemon@ATHENA.MIT.EDU (KF)
Wed Jun 6 01:35:47 2001
Message-ID: <3B1D8A8D.D11E1360@snosoft.com>
Date: Tue, 05 Jun 2001 21:42:37 -0400
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>,
bugtraq@securityfocus.com, shatan@ihug.co.nz
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Heres the first post on this issue that I saw ... I worked to exploit it
but it actualy did truncate the string somehow... This was on a version
prior to 4.0.2 I believe... I had the same result as Optium, I was
unable to write past the edx register... the logs for syslog as I recall
stated the string was too long and that it was truncated down to a
certain length. Perhaps Optium has more input?
-KF
To:
Vuln-Dev
Subject:
Qpopper 4.0 Buffer Overflow
Date:
Fri Apr 20 2001 03:15:29
Author:
Optium < shatan@ihug.co.nz >
Message-ID:
<20010420031529.5352.qmail@securityfocus.com>
Recently I came across a buffer overflow in qpop4.0.
The overflow occures when the input for the
command "user" is above 63 chars long. I was not
able to overflow beyond the edx due to what seems
like char filtering beyond a curtain point (being 64).
example :
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK
user
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA
Connection closed by foreign host.
Optium
Florian Weimer wrote:
>
> Roman Drahtmueller <draht@suse.de> writes:
>
> > We hope that this information is accurate. Version 4.0.2 is not on the ftp
> > server any more, and there is no patch from 4.0.2 to 4.0.3.
> > We currently feel handicapped in our efforts to check the code for the
> > changes wrt the buffer overflow.
>
> Fortunately, there are mirrors. The problem is that 4.0.2 discovered
> the buffer overflow attempt, even logged it via syslog(), but failed
> to actually truncate the string and copied the original one to a
> buffer of bounded length.
>
> However, I agree that removing the previous version and not providing
> a diff is extremely counterproductive.
>
> --
> Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
> University of Stuttgart http://cert.uni-stuttgart.de/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
