Date: Sat, 27 Jun 1998 18:34:12 -0700
From: Benjamin J Stassart <dszd0g@dasb.fhda.edu>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: patch for qpopper remote exploit bug
-----BEGIN PGP SIGNED MESSAGE-----
> Date: Sat, 27 Jun 1998 21:21:13 +0300
> From: Andres Kroonmaa <andre@ML.EE>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Re: patch for qpopper remote exploit bug
>
> On 27 Jun 98, at 3:24, Roy Hooper <rhooper@CORP.CYBERUS.CA> wrote:
>
> > This is a simple case of the author(s) of qpopper not using vsnprintf where
> > they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed
> > vulnerable to a remote exploit due to buffer overrun. I have not actually
> > tested the exploit, but have tested (and fixed) the buffer overrun in the
> > copy of qpopper running here.
>
> Yeah, but what about systems that do _not_ have vsnprintf()?
> Using calls without bounds checks can be justified as long
> as it is made dead sure that no bounds would be ever exceeded.
Digital Unix 3.2G does not seem to have either vsnprintf or snprintf.
However, qpopper under Digital Unix 3.2G does not seem to show the
vulnerability as discussed on this list even though it contains the
vulnerable code.
% perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110
+OK QPOP (version 2.4) at machine starting. <32482.898994635@machine>
- -ERR Unknown command:
"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeee".
+OK Pop server at machine signing off.
And I get a log with that message.
Since I do not trust that there is not another way to exploit it, I
decided to rewrite it anyways until a patch from Qualcomm becomes
available.
% perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110
+OK QPOP (version 2.4) at machine starting. <29494.898995337@machine>
- -ERR String too long
+OK Pop server at machine signing off.
It is a really ugly patch that replaces vsprintf with vfprintf and outputs
to a file and then reads in from that file.
*** pop_msg.c Sat Jun 27 17:53:55 1998
- --- pop_msg.c.orig Sat Jun 27 14:01:49 1998
***************
*** 35,43 ****
#endif
char message[MAXLINELEN];
- - FILE* vprint_file;
- - char vprint_temp[101];
- -
va_start(ap);
p = va_arg(ap, POP *);
stat = va_arg(ap, int);
- --- 35,40 ----
***************
*** 66,86 ****
/* Append the message (formatted, if necessary) */
if (format)
#ifdef HAVE_VPRINTF
! vprint_file = tmpfile();
! vfprintf(vprint_file,format,ap);
! rewind(vprint_file);
! fscanf(vprint_file, "%100s", mp);
! while(fscanf(vprint_file, "%100s", vprint_temp) != EOF)
! {
! if (strlen(mp) + strlen(vprint_temp) + 4 > MAXLINELEN)
! {
! strcpy(mp, "String too long");
! break;
! }
!
! strcat(mp, " ");
! strcat(mp, vprint_temp);
! }
#else
# ifdef PYRAMID
(void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
- --- 63,69 ----
/* Append the message (formatted, if necessary) */
if (format)
#ifdef HAVE_VPRINTF
! vsprintf(mp,format,ap);
#else
# ifdef PYRAMID
(void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
***************
*** 90,96 ****
# endif
#endif
va_end(ap);
!
/* Log the message if debugging is turned on */
#ifdef DEBUG
if (p->debug && stat == POP_SUCCESS)
- --- 73,79 ----
# endif
#endif
va_end(ap);
!
/* Log the message if debugging is turned on */
#ifdef DEBUG
if (p->debug && stat == POP_SUCCESS)
*** pop_log.c Sat Jun 27 17:54:09 1998
- --- pop_log.c.orig Sat Jun 27 17:10:10 1998
***************
*** 33,41 ****
char * date_time;
time_t clock;
- - FILE* vprint_file;
- - char vprint_temp[101];
- -
va_start(ap);
p = va_arg(ap,POP *);
stat = va_arg(ap,int);
- --- 33,38 ----
***************
*** 50,70 ****
#endif
#ifdef HAVE_VPRINTF
! vprint_file = tmpfile();
! vfprintf(vprint_file,format,ap);
! rewind(vprint_file);
! fscanf(vprint_file, "%100s", msgbuf);
! while(fscanf(vprint_file, "%100s", vprint_temp) != EOF)
! {
! if (strlen(msgbuf) + strlen(vprint_temp) + 4 > MAXLINELEN)
! {
! strcpy(msgbuf, "String too long");
! break;
! }
!
! strcat(msgbuf, " ");
! strcat(msgbuf, vprint_temp);
! }
#else
# ifdef PYRAMID
(void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
- --- 47,53 ----
#endif
#ifdef HAVE_VPRINTF
! vsprintf(msgbuf,format,ap);
#else
# ifdef PYRAMID
(void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
And I also applied to UIDL patch given on this mailing list earlier today.
Benjamin J. Stassart
- ------------------------------------------------+
A great many people think they are thinking |
when they are merely rearranging their |
prejudices |
-----BEGIN PGP SIGNATURE-----
Version: PGP 5.0
Charset: noconv
iQCVAwUBNZWdlpePz5nhUoJ9AQFsHAP7BaKCmfXZuq+0mYOwB7YKBMHNdcT8jnyK
V5NVfFKeP2QGgz8BPvZbWDFViBbuG2e4EFvORsahD0E+L5v8nY4h45XB38pHkO+C
7UsAcT+ouwhXWLIs3W0yKpHIAbdziLx1Zgxscjfqqauedt5+7wT1E6IZSJ+vmgRv
mSm8LiWpiiE=
=2ViR
-----END PGP SIGNATURE-----
