Bugtraq mailing list archives
Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
From: KF <dotslash () snosoft com>
Date: Tue, 05 Jun 2001 21:42:37 -0400
Heres the first post on this issue that I saw ... I worked to exploit it but it actualy did truncate the string somehow... This was on a version prior to 4.0.2 I believe... I had the same result as Optium, I was unable to write past the edx register... the logs for syslog as I recall stated the string was too long and that it was truncated down to a certain length. Perhaps Optium has more input? -KF To: Vuln-Dev Subject: Qpopper 4.0 Buffer Overflow Date: Fri Apr 20 2001 03:15:29 Author: Optium < shatan () ihug co nz > Message-ID: <20010420031529.5352.qmail () securityfocus com> Recently I came across a buffer overflow in qpop4.0. The overflow occures when the input for the command "user" is above 63 chars long. I was not able to overflow beyond the edx due to what seems like char filtering beyond a curtain point (being 64). example : Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA Connection closed by foreign host. Optium Florian Weimer wrote:
Roman Drahtmueller <draht () suse de> writes:We hope that this information is accurate. Version 4.0.2 is not on the ftp server any more, and there is no patch from 4.0.2 to 4.0.3. We currently feel handicapped in our efforts to check the code for the changes wrt the buffer overflow.Fortunately, there are mirrors. The problem is that 4.0.2 discovered the buffer overflow attempt, even logged it via syslog(), but failed to actually truncate the string and copied the original one to a buffer of bounded length. However, I agree that removing the previous version and not providing a diff is extremely counterproductive. -- Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Michael Brennen (Jun 02)
- Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Roman Drahtmueller (Jun 05)
- Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Renaud Deraison (Jun 05)
- Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Florian Weimer (Jun 05)
- Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) KF (Jun 05)
- Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) William D. Colburn (aka Schlake) (Jun 05)
- Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Roman Drahtmueller (Jun 05)