Bugtraq mailing list archives

Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit]

From: z33d () TENET PL (Maurycy Prodeus)
Date: Fri, 17 Dec 1999 13:08:38 -0000

These bug only affected 3.0 betas.

Bullshit ...;P
In pop_euidl() in file pop_uidl.c (qpop-2.53) :

    } else {

        sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
        if (nl = index(buffer, NEWLINE)) *nl = 0;
        sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp));
        return (pop_msg (p,POP_SUCCESS, buffer)); <-- *here*
      }

It looks good , but .... ;P

pop_msg(POP *p, int stat, const char *format,...)

So this function need format and some other data.
Luckly for the greatest Qualcomm qpop changes privs so we have only gid mail ,
but if we have a non-shell account , we can "get" a shell ...
Ofcourse it's hard to exploit . ( probably we must change some ret ...and put
there address of shellcode but there is a few problems ... but general i think
it is POSSIBLE :] )

-= SOLUTION =-

I wrote patch on qpop-2.53 ...

-> cut here <-

--- pop_uidl.c  Thu Oct  7 02:02:44 1999
+++ pop_uidl.c  Sat Oct  9 20:34:00 1999
@@ -59,7 +59,7 @@

         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
         if (nl = index(buffer, NEWLINE)) *nl = 0;
-       return (pop_msg (p,POP_SUCCESS, buffer));
+       return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
       }
     } else {
         /* yes, we can do this */
@@ -149,7 +149,7 @@
         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
         if (nl = index(buffer, NEWLINE)) *nl = 0;
         sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp));
-       return (pop_msg (p,POP_SUCCESS, buffer));
+       return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
       }
     } else {
         /* yes, we can do this */

-> cut here <-

- Maurycy Prodeus , z33d () tenet pl -
*******************************************************************************
*
* z33d () tenet pl
*
* o Czyj to motor ?
* x To nie motor to Harley ...
* o Wiec czyj to Harley ?
* x Zeda ...
* <-- pulp fiction
*
*******************************************************************************
<--> I wish I was your SYSADM , just call :)

Current thread:

Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Qpopper Support (Dec 01)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Richard Trott (Dec 16)
- Windows NT LSA Remote Denial of Service NAI Labs (Dec 16)
  - Re: Windows NT LSA Remote Denial of Service Jordan Ritter (Dec 16)
- <Possible follow-ups>
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Qpopper Support (Dec 16)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Maurycy Prodeus (Dec 17)
  - Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Olaf Seibert (Dec 20)