Bugtraq mailing list archives
COrinne Posse Release 970424
From: posse () CORINNE MAC EDU (Corinne Posse)
Date: Sat, 26 Apr 1997 10:38:11 -0500
Someone sent out the last one without proofreading it. This is the version that makes sense. ************** Corinne Posse Security Notice ************** Issue Number 4: 970424 ************** http://corinne.mac.edu/posse ************** **** Possible buffer overflow in pop3d **** *pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow* Affected Sites: Systems running OLD versions of pop3d, namely 1.00.4 based versions on the "original" BSD 4.3 Virtual VAX pop3d by Katie Stevens are vulnerable. In addition, I believe this includes many older Linux distributions, as many early Linux pop3ds were basnf of this version. I don't know which distributions would be guilty of having this daemon, or at what point in time they stopped using it. See ftp://tsx-11.mit.edu/pub/linux/packages/net/attic/ Other/pop3d/pop3d-1.00.4.tar.gz for a copy of the source code that I examined to find the problem. Problem: The problem lies in the routine used to read in the username. This problem is exactly like the vulnerability SNI found with imapd, except a different software package and strangely similar, yet different code. A malicious user can easily cause arbitrary execution from the stack (as root, since most pop3 daemons run as root) provided they have good motivation and know what the stack looks like. The offending code follows: char cli_user[CLI_BUFSIZ]; /* CLI_BUFSIZE is a whole 128 characters! */ char *inbuf if (strncmp(inbuf,"user",4) == 0) { inbuf += 4; EATSPACE(inbuf); strcpy(cli_user,inbuf); from "main.c" (around line 155 of main.c, depending on your distribution) Fixes: The obvious fix is to upgrade to pop3d software that is more recent/reliable, or to tinker with the code yourself. Good Luck! [Found and released by: Jonathan Katz, jkatz () corinne mac edu] Jon, a Sophomore at MacMurray College in Jacksonville, IL, is the founder and president of Corinne Posse. http://corinne.mac.edu/posse for more information about the posse. "Systems security begins with common sense, it's not an add-in feature."
Current thread:
- COrinne Posse Release 970424 Corinne Posse (Apr 26)