Heres the first post on this issue that I saw ... I worked to exploit it
but it actualy did truncate the string somehow... This was on a version
prior to 4.0.2 I believe... I had the same result as Optium, I was
unable to write past the edx register... the logs for syslog as I recall
stated the string was too long and that it was truncated down to a
certain length. Perhaps Optium has more input?
-KF
To:
Vuln-Dev
Subject:
Qpopper 4.0 Buffer Overflow
Date:
Fri Apr 20 2001 03:15:29
Author:
Optium < shatanat_private >
Message-ID:
<20010420031529.5352.qmailat_private>
Recently I came across a buffer overflow in qpop4.0.
The overflow occures when the input for the
command "user" is above 63 chars long. I was not
able to overflow beyond the edx due to what seems
like char filtering beyond a curtain point (being 64).
example :
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK
user
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA
Connection closed by foreign host.
Optium
Florian Weimer wrote:
>
> Roman Drahtmueller <drahtat_private> writes:
>
> > We hope that this information is accurate. Version 4.0.2 is not on the ftp
> > server any more, and there is no patch from 4.0.2 to 4.0.3.
> > We currently feel handicapped in our efforts to check the code for the
> > changes wrt the buffer overflow.
>
> Fortunately, there are mirrors. The problem is that 4.0.2 discovered
> the buffer overflow attempt, even logged it via syslog(), but failed
> to actually truncate the string and copied the original one to a
> buffer of bounded length.
>
> However, I agree that removing the previous version and not providing
> a diff is extremely counterproductive.
>
> --
> Florian Weimer Florian.Weimerat_private-Stuttgart.DE
> University of Stuttgart http://cert.uni-stuttgart.de/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 22:36:19 PDT