[7068] in bugtraq
Re: patch for qpopper remote exploit bug
daemon@ATHENA.MIT.EDU (Andres Kroonmaa)
Sat Jun 27 19:08:55 1998
Date: Sat, 27 Jun 1998 21:21:13 +0300
Reply-To: Andres Kroonmaa <andre@ML.EE>
From: Andres Kroonmaa <andre@ML.EE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <001801bda19c$90fe58c0$0a00000a@litebrite-m.thetoybox.org>
On 27 Jun 98, at 3:24, Roy Hooper <rhooper@CORP.CYBERUS.CA> wrote:
> This is a simple case of the author(s) of qpopper not using vsnprintf where
> they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed
> vulnerable to a remote exploit due to buffer overrun. I have not actually
> tested the exploit, but have tested (and fixed) the buffer overrun in the
> copy of qpopper running here.
>
> The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy,
> as both have the vsnprintf function. This patch is not guaranteed to solve
> the problem, but appears to do so.
>
> *** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998
> --- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998
> ***************
> *** 47,53 ****
> #endif
>
> #ifdef HAVE_VPRINTF
> ! vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
> #else
Yeah, but what about systems that do _not_ have vsnprintf()?
Using calls without bounds checks can be justified as long
as it is made dead sure that no bounds would be ever exceeded.
In current case, buffers overflow because qpopper accepts
way too long commands. Easiest fix is to limit max command
length at safer lower length during call to tgets()
----------------------------------------------------------------------
Andres Kroonmaa mail: andre@online.ee
Network Manager
Organization: MicroLink Online Tel: 6308 909
Tallinn, Sakala 19 Pho: +372 6308 909
Estonia, EE0001 http://www.online.ee Fax: +372 6308 901
----------------------------------------------------------------------
