Home page logo

bugtraq logo Bugtraq mailing list archives

patch for qpopper remote exploit bug
From: rhooper () CORP CYBERUS CA (Roy Hooper)
Date: Sat, 27 Jun 1998 03:24:04 -0400

This is a simple case of the author(s) of qpopper not using vsnprintf where
they aught to have been.  I have confirmed that qpopper-2.41beta1 is indeed
vulnerable to a remote exploit due to buffer overrun.  I have not actually
tested the exploit, but have tested (and fixed) the buffer overrun in the
copy of qpopper running here.

The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy,
as both have the vsnprintf function.  This patch is not guaranteed to solve
the problem, but appears to do so.

*** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998
--- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998
*** 47,53 ****

!         vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
--- 47,53 ----

!         vsprintf(msgbuf,format,ap);
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
*** qpopper2.41beta1/pop_msg.c Sat Jun 27 03:01:22 1998
--- qpopper2.41beta1-broken/pop_msg.c Sat Jun 27 02:59:05 1998
*** 63,69 ****
      /*  Append the message (formatted, if necessary) */
      if (format)
!         vsnprintf(mp,sizeof(message),format,ap);
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
--- 63,69 ----
      /*  Append the message (formatted, if necessary) */
      if (format)
!         vsprintf(mp,format,ap);
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);

Roy Hooper
Sr. Systems Administrator
Cyberus Online Inc.

-----Original Message-----
From: Seth McGann <smm () WPI EDU>
To: BUGTRAQ () netspace org <BUGTRAQ () netspace org>
Date: Saturday, June 27, 1998 2:36 AM

Its come to my attention that systems around the internet are being
exploited using a new remote overflow in Qualcomm's Popper server.  Well,
lets clear a few things up:

1.  The working exploit was stolen from my development account,
subsequently MANY sites were cracked in short order.  Much of Efnet was
compromised as power crazed script kiddies gained root access on IRCOP
boxes, giving themselves O-lines.

2.  This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far.
Other systems are most certainly vulnerable.  Linux does not appear
vulnerable.  To test, simply send the sever several thousand characters and
see if it crashed.  Check the return address to see if it matches.

3.  Due to massive exploitation the proper authorities have most likely
been notified already.  This is a bit of an emergency.

4.  You will NOT get the "exploit" from me, don't ask.  If you think your
"eleet" enough, do it yourself.  I admit I had some help, but it took a
while to figure out.

5.  The most obvious offender is the vsprintf() on line 66 of pop_msg.c.

6.  If you have a problem with my style, I'm sorry.  I'm angry at both
myself and the members of #conflict who I hold directly responsible for
this breach.  I will not name names, the offenders know who they are.

7.  When I have my head together I will post a patch tomorrow if one is not
available by then.

8.  For now, disable qpopper or choose another solution till qpopper is

Thank you.

Seth M. McGann / smm () wpi edu        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]