Hi there > After applying all the patches with exception of the PAM patch in the > .RPM'd version of qpopper2.4.src, I have located yet another hole in qpopper. > > This popper was compiled with -DAUTH in the makefile. [examples snipped] > Then, I decided to try a VALID username: > > [OverKill]:/$ telnet localhost pop3 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > +OK QPOP (version 2.4) at Victim.Com starting. > user valid > +OK Password required for valid. > pass [long line of X truncated] > Connection closed by foreign host. > > It segfaulted and dumped core. seems the pam patches protect this, because here (I use pam) it didn't work $ telnet poor.victim.com 110 Trying poor.victim.ip.address... Connected to poor.victim.com. Escape character is '^]'. +OK QPOP (version 2.4) at poor.victim.com starting. user valid +OK Password required for valid. pass [long line of X striped] -ERR Password supplied for "valid" is incorrect. +OK Pop server at poor.victim.com signing off. Connection closed by foreign host. and the attempt was logged (although not different from a "normal" one) Jun 29 08:42:29 poor in.qpopper[4612]: validat_private: -ERR Password supplied for "poor" is incorrect. Jun 29 08:42:29 poor in.qpopper[4612]: Failed attempted login to poor from host poor.victim.com > Looks like basically that if the parser sees that the command was actually > a password argument, it doesn't send it through the truncate code. I didn't looked into but I suspect the PAM patches change the default of -DAUTH. BTW qpopper development seems halted. does any of you contacted quallcom about these problems? !3runo
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:43 PDT