Bugtraq mailing list archives
Re: patch for qpopper remote exploit bug
From: andre () ML EE (Andres Kroonmaa)
Date: Sat, 27 Jun 1998 21:21:13 +0300
On 27 Jun 98, at 3:24, Roy Hooper <rhooper () CORP CYBERUS CA> wrote:
This is a simple case of the author(s) of qpopper not using vsnprintf where they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed vulnerable to a remote exploit due to buffer overrun. I have not actually tested the exploit, but have tested (and fixed) the buffer overrun in the copy of qpopper running here. The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy, as both have the vsnprintf function. This patch is not guaranteed to solve the problem, but appears to do so. *** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998 --- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998 *************** *** 47,53 **** #endif #ifdef HAVE_VPRINTF ! vsnprintf(msgbuf,sizeof(msgbuf),format,ap); #else
Yeah, but what about systems that do _not_ have vsnprintf()? Using calls without bounds checks can be justified as long as it is made dead sure that no bounds would be ever exceeded. In current case, buffers overflow because qpopper accepts way too long commands. Easiest fix is to limit max command length at safer lower length during call to tgets() ---------------------------------------------------------------------- Andres Kroonmaa mail: andre () online ee Network Manager Organization: MicroLink Online Tel: 6308 909 Tallinn, Sakala 19 Pho: +372 6308 909 Estonia, EE0001 http://www.online.ee Fax: +372 6308 901 ----------------------------------------------------------------------
Current thread:
- !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Seth McGann (Jun 26)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Theo de Raadt (Jun 27)
- patch for qpopper remote exploit bug Roy Hooper (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: patch for qpopper remote exploit bug Theo de Raadt (Jun 27)
- Re: patch for qpopper remote exploit bug Jon Lusky (Jun 27)
- Re: patch for qpopper remote exploit bug Benjamin J Stassart (Jun 27)
- Users can view script source from Win WebServers Aleph One (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Tom Brown (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Jason Ackley (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- patch: qpopper (plugs another hole too) Miquel van Smoorenburg (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)