Bugtraq mailing list archives
CPSN 4-970424: Possible buffer overflow in pop3d
From: posse () corinne mac edu (Corinne Posse)
Date: Sat, 26 Apr 1997 07:50:24 -0500
************** Corinne Posse Security Notice ************** Issue Number 4-970424 Topic: Possible buffer overflow in pop3d ************** http://corinne.mac.edu/posse ************** *pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow* Affected Sites: Systems running OLD versions of pop3d, namely 1.00.4, based on the "original" BSD 4.3 Virtual VAX pop3d by Katie Stevens. This may include many older Linux distributions, as early Linux pop3ds were based on this version. I'm not certain which distributions would be guilty of having this daemon, or at what point they stopped using it. See ftp://tsx-11.mit.edu/pub/linux/packages/net/attic/ Other/pop3d/pop3d-1.00.4.tar.gz for a copy of the source code that was examined. Problem: The problem lies in the routine used to read in the username. This is very similar to the problem that SNI found with imapd. A malicious, motivated user can easily cause arbitrary execution from the stack (as root, since most pop3 daemons run as root) if that user knows what the stack looks like. The offending code follows: char cli_user[CLI_BUFSIZ]; /* CLI_BUFSIZE is a whole 128 characters! */ char *inbuf if (strncmp(inbuf,"user",4) == 0) { inbuf += 4; EATSPACE(inbuf); strcpy(cli_user,inbuf); from "main.c" (around line 155 of main.c, depending on your distribution) Fixes: The obvious fix is to upgrade to pop3d software that is more recent or reliable, or to tinker with the code yourself. [Found and released by: Jonathan Katz, jkatz () corinne mac edu] -Jon MacMurray College Sophomore * OpenBSD Enthusiast * T. Sax -=+ Systems Administrator && Webmaster of corinne.mac.edu +=- jkatz () corinne mac edu * http://corinne.mac.edu * http://jon.katz.com
Current thread:
- CPSN 4-970424: Possible buffer overflow in pop3d Corinne Posse (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d George Staikos (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Derric Scott (Apr 27)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d J. Joseph Max Katz (Apr 28)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Johannes Erdfelt (Apr 28)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Derric Scott (Apr 27)
- Overflow in xlock George Staikos (Apr 26)
- Re: Overflow in xlock David Hedley (Apr 27)
- Re: Overflow in xlock Bollinger (Apr 27)
- Re: Overflow in xlock Andrew G. Morgan (Apr 27)
- Thoughts about DNS... Thomas H. Ptacek (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
(Thread continues...)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d George Staikos (Apr 26)