Bugtraq mailing list archives
Re: patch for qpopper remote exploit bug
From: dszd0g () dasb fhda edu (Benjamin J Stassart)
Date: Sat, 27 Jun 1998 18:34:12 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Date: Sat, 27 Jun 1998 21:21:13 +0300 From: Andres Kroonmaa <andre () ML EE> To: BUGTRAQ () NETSPACE ORG Subject: Re: patch for qpopper remote exploit bug On 27 Jun 98, at 3:24, Roy Hooper <rhooper () CORP CYBERUS CA> wrote:This is a simple case of the author(s) of qpopper not using vsnprintf where they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed vulnerable to a remote exploit due to buffer overrun. I have not actually tested the exploit, but have tested (and fixed) the buffer overrun in the copy of qpopper running here.Yeah, but what about systems that do _not_ have vsnprintf()? Using calls without bounds checks can be justified as long as it is made dead sure that no bounds would be ever exceeded.
Digital Unix 3.2G does not seem to have either vsnprintf or snprintf. However, qpopper under Digital Unix 3.2G does not seem to show the vulnerability as discussed on this list even though it contains the vulnerable code. % perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110 +OK QPOP (version 2.4) at machine starting. <32482.898994635@machine> - -ERR Unknown command: "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeee". +OK Pop server at machine signing off. And I get a log with that message. Since I do not trust that there is not another way to exploit it, I decided to rewrite it anyways until a patch from Qualcomm becomes available. % perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110 +OK QPOP (version 2.4) at machine starting. <29494.898995337@machine> - -ERR String too long +OK Pop server at machine signing off. It is a really ugly patch that replaces vsprintf with vfprintf and outputs to a file and then reads in from that file. *** pop_msg.c Sat Jun 27 17:53:55 1998 - --- pop_msg.c.orig Sat Jun 27 14:01:49 1998 *************** *** 35,43 **** #endif char message[MAXLINELEN]; - - FILE* vprint_file; - - char vprint_temp[101]; - - va_start(ap); p = va_arg(ap, POP *); stat = va_arg(ap, int); - --- 35,40 ---- *************** *** 66,86 **** /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vprint_file = tmpfile(); ! vfprintf(vprint_file,format,ap); ! rewind(vprint_file); ! fscanf(vprint_file, "%100s", mp); ! while(fscanf(vprint_file, "%100s", vprint_temp) != EOF) ! { ! if (strlen(mp) + strlen(vprint_temp) + 4 > MAXLINELEN) ! { ! strcpy(mp, "String too long"); ! break; ! } ! ! strcat(mp, " "); ! strcat(mp, vprint_temp); ! } #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); - --- 63,69 ---- /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vsprintf(mp,format,ap); #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); *************** *** 90,96 **** # endif #endif va_end(ap); ! /* Log the message if debugging is turned on */ #ifdef DEBUG if (p->debug && stat == POP_SUCCESS) - --- 73,79 ---- # endif #endif va_end(ap); ! /* Log the message if debugging is turned on */ #ifdef DEBUG if (p->debug && stat == POP_SUCCESS) *** pop_log.c Sat Jun 27 17:54:09 1998 - --- pop_log.c.orig Sat Jun 27 17:10:10 1998 *************** *** 33,41 **** char * date_time; time_t clock; - - FILE* vprint_file; - - char vprint_temp[101]; - - va_start(ap); p = va_arg(ap,POP *); stat = va_arg(ap,int); - --- 33,38 ---- *************** *** 50,70 **** #endif #ifdef HAVE_VPRINTF ! vprint_file = tmpfile(); ! vfprintf(vprint_file,format,ap); ! rewind(vprint_file); ! fscanf(vprint_file, "%100s", msgbuf); ! while(fscanf(vprint_file, "%100s", vprint_temp) != EOF) ! { ! if (strlen(msgbuf) + strlen(vprint_temp) + 4 > MAXLINELEN) ! { ! strcpy(msgbuf, "String too long"); ! break; ! } ! ! strcat(msgbuf, " "); ! strcat(msgbuf, vprint_temp); ! } #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); - --- 47,53 ---- #endif #ifdef HAVE_VPRINTF ! vsprintf(msgbuf,format,ap); #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); And I also applied to UIDL patch given on this mailing list earlier today. Benjamin J. Stassart - ------------------------------------------------+ A great many people think they are thinking | when they are merely rearranging their | prejudices | -----BEGIN PGP SIGNATURE----- Version: PGP 5.0 Charset: noconv iQCVAwUBNZWdlpePz5nhUoJ9AQFsHAP7BaKCmfXZuq+0mYOwB7YKBMHNdcT8jnyK V5NVfFKeP2QGgz8BPvZbWDFViBbuG2e4EFvORsahD0E+L5v8nY4h45XB38pHkO+C 7UsAcT+ouwhXWLIs3W0yKpHIAbdziLx1Zgxscjfqqauedt5+7wT1E6IZSJ+vmgRv mSm8LiWpiiE= =2ViR -----END PGP SIGNATURE-----
Current thread:
- !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Seth McGann (Jun 26)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Theo de Raadt (Jun 27)
- patch for qpopper remote exploit bug Roy Hooper (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: patch for qpopper remote exploit bug Theo de Raadt (Jun 27)
- Re: patch for qpopper remote exploit bug Jon Lusky (Jun 27)
- Re: patch for qpopper remote exploit bug Benjamin J Stassart (Jun 27)
- Users can view script source from Win WebServers Aleph One (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Tom Brown (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Jason Ackley (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- patch: qpopper (plugs another hole too) Miquel van Smoorenburg (Jun 27)
- Re: QPOPPER problem.... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- More patch ideas for qpopper Aaron D. Gifford (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)