Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: More problems with QPOPPER - <sigh>
From: bruno () OPENLINE COM BR (Bruno Lopes F. Cabral)
Date: Mon, 29 Jun 1998 08:50:00 -0300


Hi there

After applying all the patches with exception of the PAM patch in the
.RPM'd version of qpopper2.4.src, I have located yet another hole in qpopper.

This popper was compiled with -DAUTH in the makefile.
[examples snipped]
Then, I decided to try a VALID username:

[OverKill]:/$ telnet localhost pop3
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 2.4) at Victim.Com starting.
user valid
+OK Password required for valid.
pass [long line of X truncated]
Connection closed by foreign host.

It segfaulted and dumped core.

seems the pam patches protect this, because here (I use pam) it didn't work

$ telnet poor.victim.com 110
Trying poor.victim.ip.address...
Connected to poor.victim.com.
Escape character is '^]'.
+OK QPOP (version 2.4) at poor.victim.com starting.
user valid
+OK Password required for valid.
pass [long line of X striped]
-ERR Password supplied for "valid" is incorrect.
+OK Pop server at poor.victim.com signing off.
Connection closed by foreign host.

and the attempt was logged (although not different from a "normal" one)

Jun 29 08:42:29 poor in.qpopper[4612]: valid () poor victom com: -ERR Password supplied for "poor" is incorrect.
Jun 29 08:42:29 poor in.qpopper[4612]: Failed attempted login to poor from host poor.victim.com

Looks like basically that if the parser sees that the command was actually
a password argument, it doesn't send it through the truncate code.

I didn't looked into but I suspect the PAM patches change the default
of -DAUTH. BTW qpopper development seems halted. does any of you
contacted quallcom about these problems?

!3runo



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]