Re: serious Qpopper 3.0 vulnerability

From: Dan Groscost (danat_private)
Date: Tue Nov 30 1999 - 10:00:44 PST

Next message: Qpopper Support: "Re: serious Qpopper 3.0 vulnerability"

Previous message: Ben Greenbaum: "Subst.exe carelessness (fwd)"
Maybe in reply to: Mixter: "serious Qpopper 3.0 vulnerability"
Next in thread: Qpopper Support: "Re: serious Qpopper 3.0 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Using offset 1 with your exploit will prompt a root shell with version
3.0b18.

Regards,                       Phone:  (440)953-1702
Dan Groscost                   Fax:    (440)953-0826
Systems Administrator	       E-Mail: danat_private,
B&B Data-Link		

On Tue, 30 Nov 1999, Mixter wrote:

>
> Greetings,
>
> There is a remote buffer overflow in the qpop 3.0 server code
> that can lead to remote root compromise. Exploit attached.
>
> Vulnerable versions are all versions of qpop 3.0b,
> affected operating systems are _all_ systems that run it.
> Versions 2.52 and 2.53 do not contain this bug.
> The latest version available is 3.0b20, which is vulnerable,
> along with all previous 3.0 versions.
>
> I advise everyone running qpop3.0b servers to shut down the server
> IMMEDIATELY by disabling the entry in inetd.conf and then downgrading
> to v2.53 or another program until an official patch has been released.
>
> Details: The buffer overflow(s) are present in pop_msg.c (sounds familiar..)
> starting at line 68. All configurations and different builds seem to be
> vulnerable, as either vsprintf or sprintf are used, which both do not check
> bounds on the input buffers for each argument.
>
> Exploiting: The overflow code should not contain characters 0x0c/x17/x20,
> because it would get interpreted as more than one argument and hence fail.
>
> Patching: I included a small patch. You should only use inofficial patches
> if you totally need to use version 3.0, otherwise downgrade and wait for a
> patch from Qualcomm. IF you patch this by yourself, please consider that
> the buffer pointer CHANGES and the buffer is about 30 bytes LESS than the
> defined MAXLINELEN!!
>
> PS: The installation file suggests to run qpopper without tcpd, e.g.:
> pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
> I would NOT suggest doing it that way. Use:
> pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s
> instead. At least for me it works behind a tcp wrapper, and that way,
> you can use access control and every connection _attempt_ gets logged.
>
>
> Mixter
>
> ________________________
> mixterat_private
> members.tripod.com/mixtersecurity
>

Next message: Qpopper Support: "Re: serious Qpopper 3.0 vulnerability"
Previous message: Ben Greenbaum: "Subst.exe carelessness (fwd)"
Maybe in reply to: Mixter: "serious Qpopper 3.0 vulnerability"
Next in thread: Qpopper Support: "Re: serious Qpopper 3.0 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:17 PDT