Re: More problems with QPOPPER - <sigh>

[bruno () OPENLINE COM BR (Bruno Lopes F. Cabral)]

Hi there

> After applying all the patches with exception of the PAM patch in the
> .RPM'd version of qpopper2.4.src, I have located yet another hole in qpopper.
>
> This popper was compiled with -DAUTH in the makefile.
[examples snipped]
> Then, I decided to try a VALID username:
>
> [OverKill]:/$ telnet localhost pop3
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> +OK QPOP (version 2.4) at Victim.Com starting.
> user valid
> +OK Password required for valid.
> pass [long line of X truncated]
> Connection closed by foreign host.
>
> It segfaulted and dumped core.

seems the pam patches protect this, because here (I use pam) it didn't work

$ telnet poor.victim.com 110
Trying poor.victim.ip.address...
Connected to poor.victim.com.
Escape character is '^]'.
+OK QPOP (version 2.4) at poor.victim.com starting.
user valid
+OK Password required for valid.
pass [long line of X striped]
-ERR Password supplied for "valid" is incorrect.
+OK Pop server at poor.victim.com signing off.
Connection closed by foreign host.

and the attempt was logged (although not different from a "normal" one)

Jun 29 08:42:29 poor in.qpopper[4612]: valid () poor victom com: -ERR Password supplied for "poor" is incorrect.
Jun 29 08:42:29 poor in.qpopper[4612]: Failed attempted login to poor from host poor.victim.com

> Looks like basically that if the parser sees that the command was actually
> a password argument, it doesn't send it through the truncate code.

I didn't looked into but I suspect the PAM patches change the default
of -DAUTH. BTW qpopper development seems halted. does any of you
contacted quallcom about these problems?

!3runo