Bugtraq mailing list archives
Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
From: miquels () CISTRON NL (Miquel van Smoorenburg)
Date: Sat, 27 Jun 1998 15:46:02 +0200
In article <19980627050419750.AAA323.373@dell166>, Seth McGann <smm () WPI EDU> wrote:
Its come to my attention that systems around the internet are being exploited using a new remote overflow in Qualcomm's Popper server. Well,
Oops! Here's a fix, that also fixes another thing I noted: buffer overflow in X-UIDL processing (compromise an account by sending mail to it ..) You need to put "HAVE_VSNPRINTF" in popper.h yourself if your O/S is not Linux and it supports vsnprintf() Patch relative to qpopper-2.3, the latest free version: diff -ruN qpopper-2.3.orig/pop_dropcopy.c qpopper-2.3/pop_dropcopy.c --- qpopper-2.3.orig/pop_dropcopy.c Sat Mar 29 05:30:36 1997 +++ qpopper-2.3/pop_dropcopy.c Sat Jun 27 15:33:07 1998 @@ -462,6 +462,9 @@ } else cp = ""; + /* Make UIDL not longer then 128 chars, we use it + in sprintf() later on */ + if (strlen(cp) >= 128) cp[127] = 0; mp->uidl_str = (char *)strdup(cp); mp->length += nchar + 1; p->drop_size += nchar + 1; diff -ruN qpopper-2.3.orig/pop_log.c qpopper-2.3/pop_log.c --- qpopper-2.3.orig/pop_log.c Sat Mar 29 05:30:36 1997 +++ qpopper-2.3/pop_log.c Sat Jun 27 15:33:07 1998 @@ -18,7 +18,11 @@ * log: Make a log entry */ +#ifdef HAVE_VSNPRINTF static char msgbuf[MAXLINELEN]; +#else +static char msgbuf[MAXLINELEN*4]; +#endif pop_log(va_alist) va_dcl @@ -46,6 +50,9 @@ arg6 = va_arg(ap, char *); #endif +#ifdef HAVE_VSNPRINTF + vsnprintf(msgbuf,sizeof(msgbuf),format,ap); +#else #ifdef HAVE_VSPRINTF vsprintf(msgbuf,format,ap); #else @@ -57,6 +64,7 @@ # endif va_end(ap); #endif +#endif if (p->debug && p->trace) { clock = time(0); @@ -67,6 +75,8 @@ (void)fflush(p->trace); } else { + /* Protect syslog from too long messages */ + if (strlen(msgbuf) >= 512) msgbuf[511] = 0; syslog (stat,"%s",msgbuf); } diff -ruN qpopper-2.3.orig/pop_msg.c qpopper-2.3/pop_msg.c --- qpopper-2.3.orig/pop_msg.c Sat Mar 29 05:30:36 1997 +++ qpopper-2.3/pop_msg.c Sat Jun 27 15:33:07 1998 @@ -34,7 +34,11 @@ #ifdef PYRAMID char * arg1, *arg2, *arg3, *arg4, *arg5, *arg6; #endif +#ifdef HAVE_VSNPRINTF char message[MAXLINELEN]; +#else + char message[MAXLINELEN * 4]; +#endif va_start(ap); p = va_arg(ap, POP *); @@ -63,6 +67,9 @@ /* Append the message (formatted, if necessary) */ if (format) +#ifdef HAVE_VSNPRINTF + vsnprintf(mp,sizeof(message) - strlen(mp) - 1, format,ap); +#else #ifdef HAVE_VSPRINTF vsprintf(mp,format,ap); #else @@ -72,6 +79,7 @@ (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2], ((int *)ap)[3],((int *)ap)[4]); # endif +#endif #endif va_end(ap); diff -ruN qpopper-2.3.orig/popper.h qpopper-2.3/popper.h --- qpopper-2.3.orig/popper.h Mon Mar 31 22:10:18 1997 +++ qpopper-2.3/popper.h Sat Jun 27 15:33:56 1998 @@ -128,6 +128,7 @@ #endif #ifdef LINUX +# define HAVE_VSNPRINTF # define POP_MAILDIR "/var/spool/mail" # define POP_DROP "/var/spool/mail/.%s.pop" # define POP_TMPDROP "/var/spool/mail/tmpXXXXXX" -- Miquel van Smoorenburg | Our vision is to speed up time, miquels () cistron nl | eventually eliminating it.
Current thread:
- Re: QPOPPER problem...., (continued)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- patch: qpopper (plugs another hole too) Miquel van Smoorenburg (Jun 27)
- Re: QPOPPER problem.... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- More patch ideas for qpopper Aaron D. Gifford (Jun 27)
- Re: QPOPPER problem.... Jeff Haas (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Yiorgos Adamopoulos (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Juan Diego Bolanhos Ramirez (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Bryan (Jun 27)
- NetBSD Security Advisory 1998-004: at(1) vulnerabilities. security-alert () NETBSD ORG (Jun 27)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Miquel van Smoorenburg (Jun 27)