Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: patch for qpopper remote exploit bug
From: dszd0g () dasb fhda edu (Benjamin J Stassart)
Date: Sat, 27 Jun 1998 18:34:12 -0700


-----BEGIN PGP SIGNED MESSAGE-----

Date: Sat, 27 Jun 1998 21:21:13 +0300
From: Andres Kroonmaa <andre () ML EE>
To: BUGTRAQ () NETSPACE ORG
Subject: Re: patch for qpopper remote exploit bug

On 27 Jun 98, at 3:24, Roy Hooper <rhooper () CORP CYBERUS CA> wrote:

This is a simple case of the author(s) of qpopper not using vsnprintf where
they aught to have been.  I have confirmed that qpopper-2.41beta1 is indeed
vulnerable to a remote exploit due to buffer overrun.  I have not actually
tested the exploit, but have tested (and fixed) the buffer overrun in the
copy of qpopper running here.

 Yeah, but what about systems that do _not_ have vsnprintf()?
 Using calls without bounds checks can be justified as long
 as it is made dead sure that no bounds would be ever exceeded.

Digital Unix 3.2G does not seem to have either vsnprintf or snprintf.
However, qpopper under Digital Unix 3.2G does not seem to show the
vulnerability as discussed on this list even though it contains the
vulnerable code.

% perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110
+OK QPOP (version 2.4) at machine starting. <32482.898994635 () machine>
- -ERR Unknown command:
"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeee".
+OK Pop server at machine signing off.

And I get a log with that message.

Since I do not trust that there is not another way to exploit it, I
decided to rewrite it anyways until a patch from Qualcomm becomes
available.

% perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110
+OK QPOP (version 2.4) at machine starting. <29494.898995337 () machine>
- -ERR String too long
+OK Pop server at machine signing off.

It is a really ugly patch that replaces vsprintf with vfprintf and outputs
to a file and then reads in from that file.

*** pop_msg.c   Sat Jun 27 17:53:55 1998
- --- pop_msg.c.orig    Sat Jun 27 14:01:49 1998
***************
*** 35,43 ****
  #endif
      char                message[MAXLINELEN];

- -     FILE* vprint_file;
- -     char vprint_temp[101];
- -
      va_start(ap);
      p = va_arg(ap, POP *);
      stat = va_arg(ap, int);
- --- 35,40 ----
***************
*** 66,86 ****
      /*  Append the message (formatted, if necessary) */
      if (format)
  #ifdef HAVE_VPRINTF
!         vprint_file = tmpfile();
!         vfprintf(vprint_file,format,ap);
!         rewind(vprint_file);
!         fscanf(vprint_file, "%100s", mp);
!         while(fscanf(vprint_file, "%100s", vprint_temp) != EOF)
!         {
!            if (strlen(mp) + strlen(vprint_temp) + 4 > MAXLINELEN)
!            {
!               strcpy(mp, "String too long");
!               break;
!            }
!
!          strcat(mp, " ");
!            strcat(mp, vprint_temp);
!         }
  #else
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
- --- 63,69 ----
      /*  Append the message (formatted, if necessary) */
      if (format)
  #ifdef HAVE_VPRINTF
!         vsprintf(mp,format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
***************
*** 90,96 ****
  # endif
  #endif
      va_end(ap);
!
      /*  Log the message if debugging is turned on */
  #ifdef DEBUG
      if (p->debug && stat == POP_SUCCESS)
- --- 73,79 ----
  # endif
  #endif
      va_end(ap);
!
      /*  Log the message if debugging is turned on */
  #ifdef DEBUG
      if (p->debug && stat == POP_SUCCESS)

*** pop_log.c   Sat Jun 27 17:54:09 1998
- --- pop_log.c.orig    Sat Jun 27 17:10:10 1998
***************
*** 33,41 ****
      char    *   date_time;
      time_t    clock;

- -     FILE* vprint_file;
- -     char vprint_temp[101];
- -
      va_start(ap);
      p = va_arg(ap,POP *);
      stat = va_arg(ap,int);
- --- 33,38 ----
***************
*** 50,70 ****
  #endif

  #ifdef HAVE_VPRINTF
!         vprint_file = tmpfile();
!         vfprintf(vprint_file,format,ap);
!         rewind(vprint_file);
!         fscanf(vprint_file, "%100s", msgbuf);
!         while(fscanf(vprint_file, "%100s", vprint_temp) != EOF)
!         {
!            if (strlen(msgbuf) + strlen(vprint_temp) + 4 > MAXLINELEN)
!            {
!               strcpy(msgbuf, "String too long");
!               break;
!            }
!
!            strcat(msgbuf, " ");
!            strcat(msgbuf, vprint_temp);
!         }
  #else
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
- --- 47,53 ----
  #endif

  #ifdef HAVE_VPRINTF
!         vsprintf(msgbuf,format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);

And I also applied to UIDL patch given on this mailing list earlier today.

Benjamin J. Stassart
- ------------------------------------------------+
A great many people think they are thinking    |
when they are merely rearranging their         |
prejudices                                     |

-----BEGIN PGP SIGNATURE-----
Version: PGP 5.0
Charset: noconv

iQCVAwUBNZWdlpePz5nhUoJ9AQFsHAP7BaKCmfXZuq+0mYOwB7YKBMHNdcT8jnyK
V5NVfFKeP2QGgz8BPvZbWDFViBbuG2e4EFvORsahD0E+L5v8nY4h45XB38pHkO+C
7UsAcT+ouwhXWLIs3W0yKpHIAbdziLx1Zgxscjfqqauedt5+7wT1E6IZSJ+vmgRv
mSm8LiWpiiE=
=2ViR
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault