Heres the first post on this issue that I saw ... I worked to exploit it but it actualy did truncate the string somehow... This was on a version prior to 4.0.2 I believe... I had the same result as Optium, I was unable to write past the edx register... the logs for syslog as I recall stated the string was too long and that it was truncated down to a certain length. Perhaps Optium has more input? -KF To: Vuln-Dev Subject: Qpopper 4.0 Buffer Overflow Date: Fri Apr 20 2001 03:15:29 Author: Optium < shatanat_private > Message-ID: <20010420031529.5352.qmailat_private> Recently I came across a buffer overflow in qpop4.0. The overflow occures when the input for the command "user" is above 63 chars long. I was not able to overflow beyond the edx due to what seems like char filtering beyond a curtain point (being 64). example : Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA Connection closed by foreign host. Optium Florian Weimer wrote: > > Roman Drahtmueller <drahtat_private> writes: > > > We hope that this information is accurate. Version 4.0.2 is not on the ftp > > server any more, and there is no patch from 4.0.2 to 4.0.3. > > We currently feel handicapped in our efforts to check the code for the > > changes wrt the buffer overflow. > > Fortunately, there are mirrors. The problem is that 4.0.2 discovered > the buffer overflow attempt, even logged it via syslog(), but failed > to actually truncate the string and copied the original one to a > buffer of bounded length. > > However, I agree that removing the previous version and not providing > a diff is extremely counterproductive. > > -- > Florian Weimer Florian.Weimerat_private-Stuttgart.DE > University of Stuttgart http://cert.uni-stuttgart.de/ > RUS-CERT +49-711-685-5973/fax +49-711-685-5898
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 22:36:19 PDT