Using offset 1 with your exploit will prompt a root shell with version 3.0b18. Regards, Phone: (440)953-1702 Dan Groscost Fax: (440)953-0826 Systems Administrator E-Mail: danat_private, B&B Data-Link On Tue, 30 Nov 1999, Mixter wrote: > > Greetings, > > There is a remote buffer overflow in the qpop 3.0 server code > that can lead to remote root compromise. Exploit attached. > > Vulnerable versions are all versions of qpop 3.0b, > affected operating systems are _all_ systems that run it. > Versions 2.52 and 2.53 do not contain this bug. > The latest version available is 3.0b20, which is vulnerable, > along with all previous 3.0 versions. > > I advise everyone running qpop3.0b servers to shut down the server > IMMEDIATELY by disabling the entry in inetd.conf and then downgrading > to v2.53 or another program until an official patch has been released. > > Details: The buffer overflow(s) are present in pop_msg.c (sounds familiar..) > starting at line 68. All configurations and different builds seem to be > vulnerable, as either vsprintf or sprintf are used, which both do not check > bounds on the input buffers for each argument. > > Exploiting: The overflow code should not contain characters 0x0c/x17/x20, > because it would get interpreted as more than one argument and hence fail. > > Patching: I included a small patch. You should only use inofficial patches > if you totally need to use version 3.0, otherwise downgrade and wait for a > patch from Qualcomm. IF you patch this by yourself, please consider that > the buffer pointer CHANGES and the buffer is about 30 bytes LESS than the > defined MAXLINELEN!! > > PS: The installation file suggests to run qpopper without tcpd, e.g.: > pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s > I would NOT suggest doing it that way. Use: > pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s > instead. At least for me it works behind a tcp wrapper, and that way, > you can use access control and every connection _attempt_ gets logged. > > > Mixter > > ________________________ > mixterat_private > members.tripod.com/mixtersecurity >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:17 PDT