qpop3.0b20 and below - notes and exploit

[lucid () TERRA NEBULA ORG (Lucid Solutions)]

        I found this overflow myself earlier this month.  Seems someone
else recently found it before Qualcomm was able to issue a patch. The 2.x
series is not vunlnerable because AUTH is not yet supported and the error
returned by attempting to use AUTH does not call pop_msg() with any user
input.

        There is also another overflow besides the AUTH overflow which can
occur if a valid username and password are first entered also occuring in
pop_msg().
pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20:
    pop_msg(p,POP_FAILURE,
            "Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand);

No bounds checking is done on the attempted subcommand.  It is
interesting to note that in qpop 2.53, a similar line is used, but with
limits on the string length!
    pop_msg(p,POP_FAILURE,
            "Unknown command: \"%.128s %.128s\".",p->pop_command,
                p->pop_subcommand);

I guess Qualcomm did not continue development of Qpopper directly from the
2.53 series, but rewrote code from scratch and/or based it on earlier
code.

As a solution, pop_msg() should also do bounds checking, and not make the
calling line responsible for it (althought that's good practice too).

Attached is my original exploit that works on *BSD and Linux.  (Solaris is
NOT vulnerable to the AUTH overflow).  Slight modification is needed on
one line as the comments say.  This exploit will actually work on the
majority of machines then.  Qualcomm: you have already received my working
exploit with no modification needed.

Let's hope for an official patch soon.

                                                - sk8 () lucid-solutions com
                                                http://www.lucid-solutions.com
                                                

<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: q3combo-public.c
</UL>