Bugtraq mailing list archives
Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit]
From: z33d () TENET PL (Maurycy Prodeus)
Date: Fri, 17 Dec 1999 13:08:38 -0000
These bug only affected 3.0 betas.
Bullshit ...;P In pop_euidl() in file pop_uidl.c (qpop-2.53) : } else { sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp)); return (pop_msg (p,POP_SUCCESS, buffer)); <-- *here* } It looks good , but .... ;P pop_msg(POP *p, int stat, const char *format,...) So this function need format and some other data. Luckly for the greatest Qualcomm qpop changes privs so we have only gid mail , but if we have a non-shell account , we can "get" a shell ... Ofcourse it's hard to exploit . ( probably we must change some ret ...and put there address of shellcode but there is a few problems ... but general i think it is POSSIBLE :] ) -= SOLUTION =- I wrote patch on qpop-2.53 ... -> cut here <- --- pop_uidl.c Thu Oct 7 02:02:44 1999 +++ pop_uidl.c Sat Oct 9 20:34:00 1999 @@ -59,7 +59,7 @@ sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; - return (pop_msg (p,POP_SUCCESS, buffer)); + return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d } } else { /* yes, we can do this */ @@ -149,7 +149,7 @@ sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp)); - return (pop_msg (p,POP_SUCCESS, buffer)); + return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d } } else { /* yes, we can do this */ -> cut here <- - Maurycy Prodeus , z33d () tenet pl - ******************************************************************************* * * z33d () tenet pl * * o Czyj to motor ? * x To nie motor to Harley ... * o Wiec czyj to Harley ? * x Zeda ... * <-- pulp fiction * ******************************************************************************* <--> I wish I was your SYSADM , just call :)
Current thread:
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Qpopper Support (Dec 01)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Richard Trott (Dec 16)
- Windows NT LSA Remote Denial of Service NAI Labs (Dec 16)
- Re: Windows NT LSA Remote Denial of Service Jordan Ritter (Dec 16)
- <Possible follow-ups>
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Qpopper Support (Dec 16)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Maurycy Prodeus (Dec 17)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Olaf Seibert (Dec 20)