Bugtraq mailing list archives
Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
From: miquels () CISTRON NL (Miquel van Smoorenburg)
Date: Sat, 27 Jun 1998 15:46:02 +0200
In article <19980627050419750.AAA323.373@dell166>, Seth McGann <smm () WPI EDU> wrote:
Its come to my attention that systems around the internet are being exploited using a new remote overflow in Qualcomm's Popper server. Well,
Oops! Here's a fix, that also fixes another thing I noted: buffer overflow
in X-UIDL processing (compromise an account by sending mail to it ..)
You need to put "HAVE_VSNPRINTF" in popper.h yourself if your O/S is
not Linux and it supports vsnprintf()
Patch relative to qpopper-2.3, the latest free version:
diff -ruN qpopper-2.3.orig/pop_dropcopy.c qpopper-2.3/pop_dropcopy.c
--- qpopper-2.3.orig/pop_dropcopy.c Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_dropcopy.c Sat Jun 27 15:33:07 1998
@@ -462,6 +462,9 @@
} else
cp = "";
+ /* Make UIDL not longer then 128 chars, we use it
+ in sprintf() later on */
+ if (strlen(cp) >= 128) cp[127] = 0;
mp->uidl_str = (char *)strdup(cp);
mp->length += nchar + 1;
p->drop_size += nchar + 1;
diff -ruN qpopper-2.3.orig/pop_log.c qpopper-2.3/pop_log.c
--- qpopper-2.3.orig/pop_log.c Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_log.c Sat Jun 27 15:33:07 1998
@@ -18,7 +18,11 @@
* log: Make a log entry
*/
+#ifdef HAVE_VSNPRINTF
static char msgbuf[MAXLINELEN];
+#else
+static char msgbuf[MAXLINELEN*4];
+#endif
pop_log(va_alist)
va_dcl
@@ -46,6 +50,9 @@
arg6 = va_arg(ap, char *);
#endif
+#ifdef HAVE_VSNPRINTF
+ vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
+#else
#ifdef HAVE_VSPRINTF
vsprintf(msgbuf,format,ap);
#else
@@ -57,6 +64,7 @@
# endif
va_end(ap);
#endif
+#endif
if (p->debug && p->trace) {
clock = time(0);
@@ -67,6 +75,8 @@
(void)fflush(p->trace);
}
else {
+ /* Protect syslog from too long messages */
+ if (strlen(msgbuf) >= 512) msgbuf[511] = 0;
syslog (stat,"%s",msgbuf);
}
diff -ruN qpopper-2.3.orig/pop_msg.c qpopper-2.3/pop_msg.c
--- qpopper-2.3.orig/pop_msg.c Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_msg.c Sat Jun 27 15:33:07 1998
@@ -34,7 +34,11 @@
#ifdef PYRAMID
char * arg1, *arg2, *arg3, *arg4, *arg5, *arg6;
#endif
+#ifdef HAVE_VSNPRINTF
char message[MAXLINELEN];
+#else
+ char message[MAXLINELEN * 4];
+#endif
va_start(ap);
p = va_arg(ap, POP *);
@@ -63,6 +67,9 @@
/* Append the message (formatted, if necessary) */
if (format)
+#ifdef HAVE_VSNPRINTF
+ vsnprintf(mp,sizeof(message) - strlen(mp) - 1, format,ap);
+#else
#ifdef HAVE_VSPRINTF
vsprintf(mp,format,ap);
#else
@@ -72,6 +79,7 @@
(void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
((int *)ap)[3],((int *)ap)[4]);
# endif
+#endif
#endif
va_end(ap);
diff -ruN qpopper-2.3.orig/popper.h qpopper-2.3/popper.h
--- qpopper-2.3.orig/popper.h Mon Mar 31 22:10:18 1997
+++ qpopper-2.3/popper.h Sat Jun 27 15:33:56 1998
@@ -128,6 +128,7 @@
#endif
#ifdef LINUX
+# define HAVE_VSNPRINTF
# define POP_MAILDIR "/var/spool/mail"
# define POP_DROP "/var/spool/mail/.%s.pop"
# define POP_TMPDROP "/var/spool/mail/tmpXXXXXX"
--
Miquel van Smoorenburg | Our vision is to speed up time,
miquels () cistron nl | eventually eliminating it.
Current thread:
- Re: QPOPPER problem...., (continued)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- patch: qpopper (plugs another hole too) Miquel van Smoorenburg (Jun 27)
- Re: QPOPPER problem.... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- More patch ideas for qpopper Aaron D. Gifford (Jun 27)
- Re: QPOPPER problem.... Jeff Haas (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Yiorgos Adamopoulos (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Juan Diego Bolanhos Ramirez (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Bryan (Jun 27)
- NetBSD Security Advisory 1998-004: at(1) vulnerabilities. security-alert () NETBSD ORG (Jun 27)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Miquel van Smoorenburg (Jun 27)