Re: patch for qpopper remote exploit bug

From: Jon Lusky (luskyat_private)
Date: Sat Jun 27 1998 - 16:41:46 PDT

Next message: Aleph One: "Users can view script source from Win WebServers"

Previous message: Juan Diego Bolanhos Ramirez: "Re: QPOPPER problem.... ONE crude patch..."
Next in thread: Benjamin J Stassart: "Re: patch for qpopper remote exploit bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andres Kroonmaa writes:
>  Yeah, but what about systems that do _not_ have vsnprintf()?
>  Using calls without bounds checks can be justified as long
>  as it is made dead sure that no bounds would be ever exceeded.
>
>  In current case, buffers overflow because qpopper accepts
>  way too long commands. Easiest fix is to limit max command
>  length at safer lower length during call to tgets()

Here is what I am using...  I changed the length passed to tgets,
and put some logging code in myfgets().


*** ../qpopper2.41beta1/popper.c        Wed Nov 19 16:20:38 1997
--- popper.c    Fri Jun 26 00:05:57 1998
***************
*** 46,51 ****
--- 46,61 ----
  char * strerror();
  #endif

+ #if HAVE_SYS_NETINET_IN_H
+ # include <sys/netinet/in.h>
+ #endif
+ #if HAVE_NETINET_IN_H
+ # include <netinet/in.h>
+ #endif
+
+ #include <netdb.h>
+ #include <arpa/inet.h>
+
  extern  state_table *   pop_get_command();
  int hangup = FALSE ;
  int catchSIGHUP();
***************
*** 55,60 ****
--- 65,72 ----

  FILE *debuglog;

+ #define MAXINPUTLEN 80
+
  /*
   *  popper: Handle a Post Office Protocol version 3 session
   */
***************
*** 123,129 ****
              pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
  #endif
              p.CurrentState = error;
!         } else if (tgets(message,MAXLINELEN,p.input,pop_timeout) == NULL) {
            if (poptimeout) {
                  if (p.xmitting) pop_xmit_clean(&p);
                pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
--- 135,141 ----
              pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
  #endif
              p.CurrentState = error;
!         } else if (tgets(message,MAXINPUTLEN,p.input,pop_timeout) == NULL) {
            if (poptimeout) {
                  if (p.xmitting) pop_xmit_clean(&p);
                pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
***************
*** 196,202 ****
--- 208,219 ----
        char ch;
        int nbytes;
        int found_nl = 0;
+       char msgbuf[500];
+       struct sockaddr_in      cs;
+       int                     sp = 0;
+       int                     len;

+
        cp = str;

        while (--size > 0) {
***************
*** 210,216 ****
            }
            ++cp;
        }
!
        if ((nbytes <= 0) || (cp == str)) {
            return(NULL);
        } else {
--- 227,240 ----
            }
            ++cp;
        }
!       if (size == 0) {
!               len = sizeof(cs);
!               if (getpeername(sp,(struct sockaddr *)&cs,&len) < 0){
!                       exit(1);
!               }
!               sprintf(msgbuf,"LONG POPPER COMMAND from %s - %s (truncated)",strdup(inet_ntoa(cs.sin_addr)),str);
!               syslog(LOG_ALERT,"%s",msgbuf);
!       }
        if ((nbytes <= 0) || (cp == str)) {
            return(NULL);
        } else {

--
   Jonathan R. Lusky    |         Voyager Online LLC
Senior Network Engineer |   (423) 209-2929 / (800) 864-0442
     luskyat_private      | Nationwide 64K Dialup ISDN $26.95/mo
 http://www.hotrod.com  |         http://www.vol.com

Next message: Aleph One: "Users can view script source from Win WebServers"
Previous message: Juan Diego Bolanhos Ramirez: "Re: QPOPPER problem.... ONE crude patch..."
Next in thread: Benjamin J Stassart: "Re: patch for qpopper remote exploit bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:09 PDT