Bugtraq mailing list archives
qpop3.0b20 and below - notes and exploit
From: lucid () TERRA NEBULA ORG (Lucid Solutions)
Date: Tue, 30 Nov 1999 15:25:25 -0500
I found this overflow myself earlier this month. Seems someone else recently found it before Qualcomm was able to issue a patch. The 2.x series is not vunlnerable because AUTH is not yet supported and the error returned by attempting to use AUTH does not call pop_msg() with any user input. There is also another overflow besides the AUTH overflow which can occur if a valid username and password are first entered also occuring in pop_msg(). pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20: pop_msg(p,POP_FAILURE, "Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand); No bounds checking is done on the attempted subcommand. It is interesting to note that in qpop 2.53, a similar line is used, but with limits on the string length! pop_msg(p,POP_FAILURE, "Unknown command: \"%.128s %.128s\".",p->pop_command, p->pop_subcommand); I guess Qualcomm did not continue development of Qpopper directly from the 2.53 series, but rewrote code from scratch and/or based it on earlier code. As a solution, pop_msg() should also do bounds checking, and not make the calling line responsible for it (althought that's good practice too). Attached is my original exploit that works on *BSD and Linux. (Solaris is NOT vulnerable to the AUTH overflow). Slight modification is needed on one line as the comments say. This exploit will actually work on the majority of machines then. Qualcomm: you have already received my working exploit with no modification needed. Let's hope for an official patch soon. - sk8 () lucid-solutions com http://www.lucid-solutions.com <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: q3combo-public.c </UL>
Current thread:
- qpop3.0b20 and below - notes and exploit Lucid Solutions (Nov 30)