Home page logo

bugtraq logo Bugtraq mailing list archives

Re: patch for qpopper remote exploit bug
From: andre () ML EE (Andres Kroonmaa)
Date: Sat, 27 Jun 1998 21:21:13 +0300

On 27 Jun 98, at 3:24, Roy Hooper <rhooper () CORP CYBERUS CA> wrote:

This is a simple case of the author(s) of qpopper not using vsnprintf where
they aught to have been.  I have confirmed that qpopper-2.41beta1 is indeed
vulnerable to a remote exploit due to buffer overrun.  I have not actually
tested the exploit, but have tested (and fixed) the buffer overrun in the
copy of qpopper running here.

The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy,
as both have the vsnprintf function.  This patch is not guaranteed to solve
the problem, but appears to do so.

*** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998
--- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998
*** 47,53 ****

!         vsnprintf(msgbuf,sizeof(msgbuf),format,ap);

 Yeah, but what about systems that do _not_ have vsnprintf()?
 Using calls without bounds checks can be justified as long
 as it is made dead sure that no bounds would be ever exceeded.

 In current case, buffers overflow because qpopper accepts
 way too long commands. Easiest fix is to limit max command
 length at safer lower length during call to tgets()

 Andres Kroonmaa                                mail: andre () online ee
 Network Manager
 Organization:            MicroLink Online       Tel:        6308 909
 Tallinn, Sakala 19                              Pho:  +372  6308 909
 Estonia, EE0001        http://www.online.ee     Fax:  +372  6308 901

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]