Bugtraq mailing list archives
patch for qpopper remote exploit bug
From: rhooper () CORP CYBERUS CA (Roy Hooper)
Date: Sat, 27 Jun 1998 03:24:04 -0400
This is a simple case of the author(s) of qpopper not using vsnprintf where they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed vulnerable to a remote exploit due to buffer overrun. I have not actually tested the exploit, but have tested (and fixed) the buffer overrun in the copy of qpopper running here. The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy, as both have the vsnprintf function. This patch is not guaranteed to solve the problem, but appears to do so. *** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998 --- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998 *************** *** 47,53 **** #endif #ifdef HAVE_VPRINTF ! vsnprintf(msgbuf,sizeof(msgbuf),format,ap); #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); --- 47,53 ---- #endif #ifdef HAVE_VPRINTF ! vsprintf(msgbuf,format,ap); #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); *** qpopper2.41beta1/pop_msg.c Sat Jun 27 03:01:22 1998 --- qpopper2.41beta1-broken/pop_msg.c Sat Jun 27 02:59:05 1998 *************** *** 63,69 **** /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vsnprintf(mp,sizeof(message),format,ap); #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); --- 63,69 ---- /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vsprintf(mp,format,ap); #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); -- Roy Hooper Sr. Systems Administrator Cyberus Online Inc. -----Original Message----- From: Seth McGann <smm () WPI EDU> To: BUGTRAQ () netspace org <BUGTRAQ () netspace org> Date: Saturday, June 27, 1998 2:36 AM Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
Its come to my attention that systems around the internet are being exploited using a new remote overflow in Qualcomm's Popper server. Well, lets clear a few things up: 1. The working exploit was stolen from my development account, subsequently MANY sites were cracked in short order. Much of Efnet was compromised as power crazed script kiddies gained root access on IRCOP boxes, giving themselves O-lines. 2. This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far. Other systems are most certainly vulnerable. Linux does not appear vulnerable. To test, simply send the sever several thousand characters and see if it crashed. Check the return address to see if it matches. 3. Due to massive exploitation the proper authorities have most likely been notified already. This is a bit of an emergency. 4. You will NOT get the "exploit" from me, don't ask. If you think your "eleet" enough, do it yourself. I admit I had some help, but it took a while to figure out. 5. The most obvious offender is the vsprintf() on line 66 of pop_msg.c. 6. If you have a problem with my style, I'm sorry. I'm angry at both myself and the members of #conflict who I hold directly responsible for this breach. I will not name names, the offenders know who they are. 7. When I have my head together I will post a patch tomorrow if one is not available by then. 8. For now, disable qpopper or choose another solution till qpopper is secured. Thank you. Seth M. McGann / smm () wpi edu "Security is making it http://www.wpi.edu/~smm to the bathroom in time." KeyID: 2048/1024/E2501C80 Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
Current thread:
- !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Seth McGann (Jun 26)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Theo de Raadt (Jun 27)
- patch for qpopper remote exploit bug Roy Hooper (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: patch for qpopper remote exploit bug Theo de Raadt (Jun 27)
- Re: patch for qpopper remote exploit bug Jon Lusky (Jun 27)
- Re: patch for qpopper remote exploit bug Benjamin J Stassart (Jun 27)
- Users can view script source from Win WebServers Aleph One (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Tom Brown (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Jason Ackley (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)
(Thread continues...)