Bugtraq mailing list archives
Re: CPSN 4-970424: Possible buffer overflow in pop3d
From: dtscott () SCOTT NET (Derric Scott)
Date: Sun, 27 Apr 1997 22:33:11 -0500
Hello: While I don't profess to be the keeper of BSD POP3d, I have made recent changes and made them available. So.... I took a very quick look and changed that "offending" strcpy to a strncpy. I'll soon put 1.005f up on: ftp://ftp.scott.net/pub/linux/mail HOWEVER: Is this security notice based on an exploit or is it just from examination of the code. My cursory glance indicates that there is no real threat from that strcpy because the length of the input has already been checked before execution reaches this point. Ie: FUNCTION: svr_auth(state,inbuf), has the "offending" line: strcpy(cli_user,inbuf); BUT: svr_auth is called from MAIN with: svr_state = svr_auth(svr_state,cli_buf); where cli_buf is read previously from stdin with: if (fgetl(cli_buf,CLI_BUFSIZ,stdin) == NULL) Now this machine doesn't have a manpage for "fgetl" but, from the arguments, it looks like it will check the length... so is there some OTHER way for the bad guy to get the machine code into the buffer? ALSO, cli_buf is further worked on before that svr_auth call is made - the command is shifted to lower case, it is scanned for a CR and trailing whitespace is removed, etc. which may make it more difficult to put "code" in there. Admittedly I scanned it very quickly, but it does look like the length of the input is checked in "main." Later! Derric
On Sat, 26 Apr 1997, Corinne Posse wrote:************** Corinne Posse Security Notice ************** Issue Number 4-970424 Topic: Possible buffer overflow in pop3d ************** http://corinne.mac.edu/posse ************** *pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow* Affected Sites: Systems running OLD versions of pop3d, namely 1.00.4, based on the "original" BSD 4.3 Virtual VAX pop3d by Katie Stevens. ThisThis code has not been changed as of pop3d-1.005e, which was released January 19, 1997, and thus it still appears to be vulnerable. As far as I know, this is the latest release of the BSD 4.3 based pop3d. George
-- Derric Scott Scott Network Services, Inc. P. O. Box 361353 derric () scott net (205)987-5889 Birmingham, AL 35236
Current thread:
- CPSN 4-970424: Possible buffer overflow in pop3d Corinne Posse (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d George Staikos (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Derric Scott (Apr 27)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d J. Joseph Max Katz (Apr 28)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Johannes Erdfelt (Apr 28)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Derric Scott (Apr 27)
- Overflow in xlock George Staikos (Apr 26)
- Re: Overflow in xlock David Hedley (Apr 27)
- Re: Overflow in xlock Bollinger (Apr 27)
- Re: Overflow in xlock Andrew G. Morgan (Apr 27)
- Thoughts about DNS... Thomas H. Ptacek (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: Thoughts about DNS... Thomas H. Ptacek (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d George Staikos (Apr 26)