mailing list archives
Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit]
From: trott () LIBRARY UCSF EDU (Richard Trott)
Date: Thu, 16 Dec 1999 12:01:41 -0800
Where these buffer overflows and "other uses of '%s'" that were
repaired only in qpopper 3.x? Are those of us running 2.53 not affected?
Or do we need to upgrade?
On Wed, 1 Dec 1999, Qpopper Support wrote:
All reported buffer overruns are fixed in qpopper3.0b22, which is
available at <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>.
In addition, other users of '%s' were examined and limited applied to
some which could theoretically cause a crash.
Message-ID: <Pine.LNX.4.10.9911301500310.26891-200000 () terra nebula org>
Date: Tue, 30 Nov 1999 15:25:25 -0500
Reply-To: Lucid Solutions <lucid () TERRA NEBULA ORG>
Sender: Bugtraq List <BUGTRAQ () SECURITYFOCUS COM>
From: Lucid Solutions <lucid () TERRA NEBULA ORG>
Subject: qpop3.0b20 and below - notes and exploit
I found this overflow myself earlier this month. Seems someone
else recently found it before Qualcomm was able to issue a patch. The 2.x
series is not vunlnerable because AUTH is not yet supported and the error
returned by attempting to use AUTH does not call pop_msg() with any user
There is also another overflow besides the AUTH overflow which can
occur if a valid username and password are first entered also occuring in
pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20:
"Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand);