CPSN 4-970424: Possible buffer overflow in pop3d

[posse () corinne mac edu (Corinne Posse)]

************** Corinne Posse Security Notice  **************
Issue Number 4-970424
Topic: Possible buffer overflow in pop3d
**************  http://corinne.mac.edu/posse  **************

*pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow*

Affected Sites:
Systems running OLD versions of pop3d, namely 1.00.4,
based on the "original" BSD 4.3 Virtual VAX pop3d by Katie Stevens. This
may include many older Linux distributions, as early Linux pop3ds were
based on this version. I'm not certain which distributions would be
guilty of having this daemon, or at what point they stopped using it.
See
        ftp://tsx-11.mit.edu/pub/linux/packages/net/attic/
                Other/pop3d/pop3d-1.00.4.tar.gz
for a copy of the source code that was examined.

Problem:
The problem lies in the routine used to read in the username.
This is very similar to the problem that SNI found with imapd. A
malicious, motivated user can easily cause arbitrary execution from the
stack (as root, since most pop3 daemons run as root) if that user knows
what the stack looks like.

The offending code follows:

char cli_user[CLI_BUFSIZ];  /* CLI_BUFSIZE is a whole 128 characters! */
char *inbuf

        if (strncmp(inbuf,"user",4) == 0) {
                inbuf += 4;
                EATSPACE(inbuf);
                strcpy(cli_user,inbuf);

from "main.c" (around line 155 of main.c, depending on your distribution)

Fixes:
The obvious fix is to upgrade to pop3d software that is more
recent or reliable, or to tinker with the code yourself.

[Found and released by: Jonathan Katz, jkatz () corinne mac edu]

  -Jon    MacMurray College Sophomore * OpenBSD Enthusiast * T. Sax
-=+  Systems  Administrator  &&  Webmaster   of   corinne.mac.edu  +=-
 jkatz () corinne mac edu * http://corinne.mac.edu * http://jon.katz.com