Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
From: miquels () CISTRON NL (Miquel van Smoorenburg)
Date: Sat, 27 Jun 1998 15:46:02 +0200


In article <19980627050419750.AAA323.373 () dell166>,
Seth McGann <smm () WPI EDU> wrote:
Its come to my attention that systems around the internet are being
exploited using a new remote overflow in Qualcomm's Popper server.  Well,

Oops! Here's a fix, that also fixes another thing I noted: buffer overflow
in X-UIDL processing (compromise an account by sending mail to it ..)

You need to put "HAVE_VSNPRINTF" in popper.h yourself if your O/S is
not Linux and it supports vsnprintf()

Patch relative to qpopper-2.3, the latest free version:


diff -ruN qpopper-2.3.orig/pop_dropcopy.c qpopper-2.3/pop_dropcopy.c
--- qpopper-2.3.orig/pop_dropcopy.c     Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_dropcopy.c  Sat Jun 27 15:33:07 1998
@@ -462,6 +462,9 @@
                    } else
                        cp = "";

+                   /* Make UIDL not longer then 128 chars, we use it
+                      in sprintf() later on */
+                   if (strlen(cp) >= 128) cp[127] = 0;
                    mp->uidl_str = (char *)strdup(cp);
                    mp->length += nchar + 1;
                    p->drop_size += nchar + 1;
diff -ruN qpopper-2.3.orig/pop_log.c qpopper-2.3/pop_log.c
--- qpopper-2.3.orig/pop_log.c  Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_log.c       Sat Jun 27 15:33:07 1998
@@ -18,7 +18,11 @@
  *  log:    Make a log entry
  */

+#ifdef HAVE_VSNPRINTF
 static char msgbuf[MAXLINELEN];
+#else
+static char msgbuf[MAXLINELEN*4];
+#endif

 pop_log(va_alist)
 va_dcl
@@ -46,6 +50,9 @@
     arg6 = va_arg(ap, char *);
 #endif

+#ifdef HAVE_VSNPRINTF
+        vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
+#else
 #ifdef HAVE_VSPRINTF
         vsprintf(msgbuf,format,ap);
 #else
@@ -57,6 +64,7 @@
 # endif
     va_end(ap);
 #endif
+#endif

     if (p->debug && p->trace) {
        clock = time(0);
@@ -67,6 +75,8 @@
         (void)fflush(p->trace);
     }
     else {
+       /* Protect syslog from too long messages */
+       if (strlen(msgbuf) >= 512) msgbuf[511] = 0;
         syslog (stat,"%s",msgbuf);
     }

diff -ruN qpopper-2.3.orig/pop_msg.c qpopper-2.3/pop_msg.c
--- qpopper-2.3.orig/pop_msg.c  Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_msg.c       Sat Jun 27 15:33:07 1998
@@ -34,7 +34,11 @@
 #ifdef PYRAMID
     char           *   arg1, *arg2, *arg3, *arg4, *arg5, *arg6;
 #endif
+#ifdef HAVE_VSNPRINTF
     char                message[MAXLINELEN];
+#else
+    char                message[MAXLINELEN * 4];
+#endif

     va_start(ap);
     p = va_arg(ap, POP *);
@@ -63,6 +67,9 @@

     /*  Append the message (formatted, if necessary) */
     if (format)
+#ifdef HAVE_VSNPRINTF
+        vsnprintf(mp,sizeof(message) - strlen(mp) - 1, format,ap);
+#else
 #ifdef HAVE_VSPRINTF
         vsprintf(mp,format,ap);
 #else
@@ -72,6 +79,7 @@
         (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
                 ((int *)ap)[3],((int *)ap)[4]);
 # endif
+#endif
 #endif
     va_end(ap);

diff -ruN qpopper-2.3.orig/popper.h qpopper-2.3/popper.h
--- qpopper-2.3.orig/popper.h   Mon Mar 31 22:10:18 1997
+++ qpopper-2.3/popper.h        Sat Jun 27 15:33:56 1998
@@ -128,6 +128,7 @@
 #endif

 #ifdef LINUX
+# define HAVE_VSNPRINTF
 # define POP_MAILDIR "/var/spool/mail"
 # define POP_DROP    "/var/spool/mail/.%s.pop"
 # define POP_TMPDROP "/var/spool/mail/tmpXXXXXX"



--
 Miquel van Smoorenburg | Our vision is to speed up time,
    miquels () cistron nl  |   eventually eliminating it.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]