Bugtraq mailing list archives
Re: patch for qpopper remote exploit bug
From: lusky () EARTH VOYAGERONLINE NET (Jon Lusky)
Date: Sat, 27 Jun 1998 19:41:46 -0400
Andres Kroonmaa writes:
Yeah, but what about systems that do _not_ have vsnprintf()? Using calls without bounds checks can be justified as long as it is made dead sure that no bounds would be ever exceeded. In current case, buffers overflow because qpopper accepts way too long commands. Easiest fix is to limit max command length at safer lower length during call to tgets()
Here is what I am using... I changed the length passed to tgets,
and put some logging code in myfgets().
*** ../qpopper2.41beta1/popper.c Wed Nov 19 16:20:38 1997
--- popper.c Fri Jun 26 00:05:57 1998
***************
*** 46,51 ****
--- 46,61 ----
char * strerror();
#endif
+ #if HAVE_SYS_NETINET_IN_H
+ # include <sys/netinet/in.h>
+ #endif
+ #if HAVE_NETINET_IN_H
+ # include <netinet/in.h>
+ #endif
+
+ #include <netdb.h>
+ #include <arpa/inet.h>
+
extern state_table * pop_get_command();
int hangup = FALSE ;
int catchSIGHUP();
***************
*** 55,60 ****
--- 65,72 ----
FILE *debuglog;
+ #define MAXINPUTLEN 80
+
/*
* popper: Handle a Post Office Protocol version 3 session
*/
***************
*** 123,129 ****
pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
#endif
p.CurrentState = error;
! } else if (tgets(message,MAXLINELEN,p.input,pop_timeout) == NULL) {
if (poptimeout) {
if (p.xmitting) pop_xmit_clean(&p);
pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
--- 135,141 ----
pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
#endif
p.CurrentState = error;
! } else if (tgets(message,MAXINPUTLEN,p.input,pop_timeout) == NULL) {
if (poptimeout) {
if (p.xmitting) pop_xmit_clean(&p);
pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
***************
*** 196,202 ****
--- 208,219 ----
char ch;
int nbytes;
int found_nl = 0;
+ char msgbuf[500];
+ struct sockaddr_in cs;
+ int sp = 0;
+ int len;
+
cp = str;
while (--size > 0) {
***************
*** 210,216 ****
}
++cp;
}
!
if ((nbytes <= 0) || (cp == str)) {
return(NULL);
} else {
--- 227,240 ----
}
++cp;
}
! if (size == 0) {
! len = sizeof(cs);
! if (getpeername(sp,(struct sockaddr *)&cs,&len) < 0){
! exit(1);
! }
! sprintf(msgbuf,"LONG POPPER COMMAND from %s - %s (truncated)",strdup(inet_ntoa(cs.sin_addr)),str);
! syslog(LOG_ALERT,"%s",msgbuf);
! }
if ((nbytes <= 0) || (cp == str)) {
return(NULL);
} else {
--
Jonathan R. Lusky | Voyager Online LLC
Senior Network Engineer | (423) 209-2929 / (800) 864-0442
lusky () vol com | Nationwide 64K Dialup ISDN $26.95/mo
http://www.hotrod.com | http://www.vol.com
Current thread:
- !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Seth McGann (Jun 26)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Theo de Raadt (Jun 27)
- patch for qpopper remote exploit bug Roy Hooper (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: patch for qpopper remote exploit bug Theo de Raadt (Jun 27)
- Re: patch for qpopper remote exploit bug Jon Lusky (Jun 27)
- Re: patch for qpopper remote exploit bug Benjamin J Stassart (Jun 27)
- Users can view script source from Win WebServers Aleph One (Jun 27)
- Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Tom Brown (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Jason Ackley (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- patch: qpopper (plugs another hole too) Miquel van Smoorenburg (Jun 27)
- Re: QPOPPER problem.... Marco S Hyman (Jun 27)
- Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)