-----BEGIN PGP SIGNED MESSAGE----- > Date: Sat, 27 Jun 1998 21:21:13 +0300 > From: Andres Kroonmaa <andreat_private> > To: BUGTRAQat_private > Subject: Re: patch for qpopper remote exploit bug > > On 27 Jun 98, at 3:24, Roy Hooper <rhooperat_private> wrote: > > > This is a simple case of the author(s) of qpopper not using vsnprintf where > > they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed > > vulnerable to a remote exploit due to buffer overrun. I have not actually > > tested the exploit, but have tested (and fixed) the buffer overrun in the > > copy of qpopper running here. > > Yeah, but what about systems that do _not_ have vsnprintf()? > Using calls without bounds checks can be justified as long > as it is made dead sure that no bounds would be ever exceeded. Digital Unix 3.2G does not seem to have either vsnprintf or snprintf. However, qpopper under Digital Unix 3.2G does not seem to show the vulnerability as discussed on this list even though it contains the vulnerable code. % perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110 +OK QPOP (version 2.4) at machine starting. <32482.898994635@machine> - -ERR Unknown command: "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeee". +OK Pop server at machine signing off. And I get a log with that message. Since I do not trust that there is not another way to exploit it, I decided to rewrite it anyways until a patch from Qualcomm becomes available. % perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110 +OK QPOP (version 2.4) at machine starting. <29494.898995337@machine> - -ERR String too long +OK Pop server at machine signing off. It is a really ugly patch that replaces vsprintf with vfprintf and outputs to a file and then reads in from that file. *** pop_msg.c Sat Jun 27 17:53:55 1998 - --- pop_msg.c.orig Sat Jun 27 14:01:49 1998 *************** *** 35,43 **** #endif char message[MAXLINELEN]; - - FILE* vprint_file; - - char vprint_temp[101]; - - va_start(ap); p = va_arg(ap, POP *); stat = va_arg(ap, int); - --- 35,40 ---- *************** *** 66,86 **** /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vprint_file = tmpfile(); ! vfprintf(vprint_file,format,ap); ! rewind(vprint_file); ! fscanf(vprint_file, "%100s", mp); ! while(fscanf(vprint_file, "%100s", vprint_temp) != EOF) ! { ! if (strlen(mp) + strlen(vprint_temp) + 4 > MAXLINELEN) ! { ! strcpy(mp, "String too long"); ! break; ! } ! ! strcat(mp, " "); ! strcat(mp, vprint_temp); ! } #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); - --- 63,69 ---- /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vsprintf(mp,format,ap); #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); *************** *** 90,96 **** # endif #endif va_end(ap); ! /* Log the message if debugging is turned on */ #ifdef DEBUG if (p->debug && stat == POP_SUCCESS) - --- 73,79 ---- # endif #endif va_end(ap); ! /* Log the message if debugging is turned on */ #ifdef DEBUG if (p->debug && stat == POP_SUCCESS) *** pop_log.c Sat Jun 27 17:54:09 1998 - --- pop_log.c.orig Sat Jun 27 17:10:10 1998 *************** *** 33,41 **** char * date_time; time_t clock; - - FILE* vprint_file; - - char vprint_temp[101]; - - va_start(ap); p = va_arg(ap,POP *); stat = va_arg(ap,int); - --- 33,38 ---- *************** *** 50,70 **** #endif #ifdef HAVE_VPRINTF ! vprint_file = tmpfile(); ! vfprintf(vprint_file,format,ap); ! rewind(vprint_file); ! fscanf(vprint_file, "%100s", msgbuf); ! while(fscanf(vprint_file, "%100s", vprint_temp) != EOF) ! { ! if (strlen(msgbuf) + strlen(vprint_temp) + 4 > MAXLINELEN) ! { ! strcpy(msgbuf, "String too long"); ! break; ! } ! ! strcat(msgbuf, " "); ! strcat(msgbuf, vprint_temp); ! } #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); - --- 47,53 ---- #endif #ifdef HAVE_VPRINTF ! vsprintf(msgbuf,format,ap); #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); And I also applied to UIDL patch given on this mailing list earlier today. Benjamin J. Stassart - ------------------------------------------------+ A great many people think they are thinking | when they are merely rearranging their | prejudices | -----BEGIN PGP SIGNATURE----- Version: PGP 5.0 Charset: noconv iQCVAwUBNZWdlpePz5nhUoJ9AQFsHAP7BaKCmfXZuq+0mYOwB7YKBMHNdcT8jnyK V5NVfFKeP2QGgz8BPvZbWDFViBbuG2e4EFvORsahD0E+L5v8nY4h45XB38pHkO+C 7UsAcT+ouwhXWLIs3W0yKpHIAbdziLx1Zgxscjfqqauedt5+7wT1E6IZSJ+vmgRv mSm8LiWpiiE= =2ViR -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:18 PDT