patch for qpopper remote exploit bug
Date: Sat, 27 Jun 1998 19:41:46 -0400
From: Jon Lusky <lusky@EARTH.VOYAGERONLINE.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: patch for qpopper remote exploit bug
Andres Kroonmaa writes:
> Yeah, but what about systems that do _not_ have vsnprintf()?
> Using calls without bounds checks can be justified as long
> as it is made dead sure that no bounds would be ever exceeded.
>
> In current case, buffers overflow because qpopper accepts
> way too long commands. Easiest fix is to limit max command
> length at safer lower length during call to tgets()
Here is what I am using... I changed the length passed to tgets,
and put some logging code in myfgets().
*** ../qpopper2.41beta1/popper.c Wed Nov 19 16:20:38 1997
--- popper.c Fri Jun 26 00:05:57 1998
***************
*** 46,51 ****
--- 46,61 ----
char * strerror();
#endif
+ #if HAVE_SYS_NETINET_IN_H
+ # include <sys/netinet/in.h>
+ #endif
+ #if HAVE_NETINET_IN_H
+ # include <netinet/in.h>
+ #endif
+
+ #include <netdb.h>
+ #include <arpa/inet.h>
+
extern state_table * pop_get_command();
int hangup = FALSE ;
int catchSIGHUP();
***************
*** 55,60 ****
--- 65,72 ----
FILE *debuglog;
+ #define MAXINPUTLEN 80
+
/*
* popper: Handle a Post Office Protocol version 3 session
*/
***************
*** 123,129 ****
pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
#endif
p.CurrentState = error;
! } else if (tgets(message,MAXLINELEN,p.input,pop_timeout) == NULL) {
if (poptimeout) {
if (p.xmitting) pop_xmit_clean(&p);
pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
--- 135,141 ----
pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
#endif
p.CurrentState = error;
! } else if (tgets(message,MAXINPUTLEN,p.input,pop_timeout) == NULL) {
if (poptimeout) {
if (p.xmitting) pop_xmit_clean(&p);
pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
***************
*** 196,202 ****
--- 208,219 ----
char ch;
int nbytes;
int found_nl = 0;
+ char msgbuf[500];
+ struct sockaddr_in cs;
+ int sp = 0;
+ int len;
+
cp = str;
while (--size > 0) {
***************
*** 210,216 ****
}
++cp;
}
!
if ((nbytes <= 0) || (cp == str)) {
return(NULL);
} else {
--- 227,240 ----
}
++cp;
}
! if (size == 0) {
! len = sizeof(cs);
! if (getpeername(sp,(struct sockaddr *)&cs,&len) < 0){
! exit(1);
! }
! sprintf(msgbuf,"LONG POPPER COMMAND from %s - %s (truncated)",strdup(inet_ntoa(cs.sin_addr)),str);
! syslog(LOG_ALERT,"%s",msgbuf);
! }
if ((nbytes <= 0) || (cp == str)) {
return(NULL);
} else {
--
Jonathan R. Lusky | Voyager Online LLC
Senior Network Engineer | (423) 209-2929 / (800) 864-0442
lusky@vol.com | Nationwide 64K Dialup ISDN $26.95/mo
http://www.hotrod.com | http://www.vol.com
