Home page logo

bugtraq logo Bugtraq mailing list archives

CPSN 4-970424: Possible buffer overflow in pop3d
From: posse () corinne mac edu (Corinne Posse)
Date: Sat, 26 Apr 1997 07:50:24 -0500

************** Corinne Posse Security Notice  **************
Issue Number 4-970424
Topic: Possible buffer overflow in pop3d
**************  http://corinne.mac.edu/posse  **************

*pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow*

Affected Sites:
Systems running OLD versions of pop3d, namely 1.00.4,
based on the "original" BSD 4.3 Virtual VAX pop3d by Katie Stevens. This
may include many older Linux distributions, as early Linux pop3ds were
based on this version. I'm not certain which distributions would be
guilty of having this daemon, or at what point they stopped using it.
for a copy of the source code that was examined.

The problem lies in the routine used to read in the username.
This is very similar to the problem that SNI found with imapd. A
malicious, motivated user can easily cause arbitrary execution from the
stack (as root, since most pop3 daemons run as root) if that user knows
what the stack looks like.

The offending code follows:

char cli_user[CLI_BUFSIZ];  /* CLI_BUFSIZE is a whole 128 characters! */
char *inbuf

        if (strncmp(inbuf,"user",4) == 0) {
                inbuf += 4;

from "main.c" (around line 155 of main.c, depending on your distribution)

The obvious fix is to upgrade to pop3d software that is more
recent or reliable, or to tinker with the code yourself.

[Found and released by: Jonathan Katz, jkatz () corinne mac edu]

  -Jon    MacMurray College Sophomore * OpenBSD Enthusiast * T. Sax
-=+  Systems  Administrator  &&  Webmaster   of   corinne.mac.edu  +=-
 jkatz () corinne mac edu * http://corinne.mac.edu * http://jon.katz.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]