Date: Sat, 27 Jun 1998 03:24:04 -0400
From: Roy Hooper <rhooper@CORP.CYBERUS.CA>
To: BUGTRAQ@NETSPACE.ORG
Subject: patch for qpopper remote exploit bug
This is a simple case of the author(s) of qpopper not using vsnprintf where
they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed
vulnerable to a remote exploit due to buffer overrun. I have not actually
tested the exploit, but have tested (and fixed) the buffer overrun in the
copy of qpopper running here.
The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy,
as both have the vsnprintf function. This patch is not guaranteed to solve
the problem, but appears to do so.
*** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998
--- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998
***************
*** 47,53 ****
#endif
#ifdef HAVE_VPRINTF
! vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
#else
# ifdef PYRAMID
(void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
--- 47,53 ----
#endif
#ifdef HAVE_VPRINTF
! vsprintf(msgbuf,format,ap);
#else
# ifdef PYRAMID
(void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
*** qpopper2.41beta1/pop_msg.c Sat Jun 27 03:01:22 1998
--- qpopper2.41beta1-broken/pop_msg.c Sat Jun 27 02:59:05 1998
***************
*** 63,69 ****
/* Append the message (formatted, if necessary) */
if (format)
#ifdef HAVE_VPRINTF
! vsnprintf(mp,sizeof(message),format,ap);
#else
# ifdef PYRAMID
(void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
--- 63,69 ----
/* Append the message (formatted, if necessary) */
if (format)
#ifdef HAVE_VPRINTF
! vsprintf(mp,format,ap);
#else
# ifdef PYRAMID
(void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
--
Roy Hooper
Sr. Systems Administrator
Cyberus Online Inc.
-----Original Message-----
From: Seth McGann <smm@WPI.EDU>
To: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Date: Saturday, June 27, 1998 2:36 AM
Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
>Its come to my attention that systems around the internet are being
>exploited using a new remote overflow in Qualcomm's Popper server. Well,
>lets clear a few things up:
>
>1. The working exploit was stolen from my development account,
>subsequently MANY sites were cracked in short order. Much of Efnet was
>compromised as power crazed script kiddies gained root access on IRCOP
>boxes, giving themselves O-lines.
>
>2. This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far.
>Other systems are most certainly vulnerable. Linux does not appear
>vulnerable. To test, simply send the sever several thousand characters and
>see if it crashed. Check the return address to see if it matches.
>
>3. Due to massive exploitation the proper authorities have most likely
>been notified already. This is a bit of an emergency.
>
>4. You will NOT get the "exploit" from me, don't ask. If you think your
>"eleet" enough, do it yourself. I admit I had some help, but it took a
>while to figure out.
>
>5. The most obvious offender is the vsprintf() on line 66 of pop_msg.c.
>
>6. If you have a problem with my style, I'm sorry. I'm angry at both
>myself and the members of #conflict who I hold directly responsible for
>this breach. I will not name names, the offenders know who they are.
>
>7. When I have my head together I will post a patch tomorrow if one is not
>available by then.
>
>8. For now, disable qpopper or choose another solution till qpopper is
>secured.
>
>Thank you.
>
>
>
>Seth M. McGann / smm@wpi.edu "Security is making it
>http://www.wpi.edu/~smm to the bathroom in time."
>KeyID: 2048/1024/E2501C80
>Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
>
