Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
From: KF <dotslash () snosoft com>
Date: Tue, 05 Jun 2001 21:42:37 -0400

Heres the first post on this issue that I saw ... I worked to exploit it
but it actualy did truncate the string somehow... This was on a version
prior to 4.0.2 I believe... I had the same result as Optium, I was
unable to write past the edx register... the logs for syslog as I recall
stated the string was too long and that it was truncated down to a
certain length. Perhaps Optium has more input?


                    Qpopper 4.0 Buffer Overflow
                    Fri Apr 20 2001 03:15:29
                    Optium < shatan () ihug co nz >
                    <20010420031529.5352.qmail () securityfocus com>

Recently I came across a buffer overflow in qpop4.0.
The overflow occures when the input for the 
command "user" is above  63 chars long. I was not
able to overflow beyond the edx due to what seems 
like char filtering beyond a curtain point (being 64).

example :
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.


Florian Weimer wrote:

Roman Drahtmueller <draht () suse de> writes:

We hope that this information is accurate. Version 4.0.2 is not on the ftp
server any more, and there is no patch from 4.0.2 to 4.0.3.
We currently feel handicapped in our efforts to check the code for the
changes wrt the buffer overflow.

Fortunately, there are mirrors.  The problem is that 4.0.2 discovered
the buffer overflow attempt, even logged it via syslog(), but failed
to actually truncate the string and copied the original one to a
buffer of bounded length.

However, I agree that removing the previous version and not providing
a diff is extremely counterproductive.

Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]