The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


patch for qpopper remote exploit bug


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sat, 27 Jun 1998 18:34:12 -0700
From: Benjamin J Stassart <[email protected]>
To: [email protected]
Subject: Re: patch for qpopper remote exploit bug

-----BEGIN PGP SIGNED MESSAGE-----

> Date: Sat, 27 Jun 1998 21:21:13 +0300
> From: Andres Kroonmaa <[email protected]>
> To: [email protected]
> Subject: Re: patch for qpopper remote exploit bug
>
> On 27 Jun 98, at 3:24, Roy Hooper <[email protected]> wrote:
>
> > This is a simple case of the author(s) of qpopper not using vsnprintf where
> > they aught to have been.  I have confirmed that qpopper-2.41beta1 is indeed
> > vulnerable to a remote exploit due to buffer overrun.  I have not actually
> > tested the exploit, but have tested (and fixed) the buffer overrun in the
> > copy of qpopper running here.
>
>  Yeah, but what about systems that do _not_ have vsnprintf()?
>  Using calls without bounds checks can be justified as long
>  as it is made dead sure that no bounds would be ever exceeded.

Digital Unix 3.2G does not seem to have either vsnprintf or snprintf.
However, qpopper under Digital Unix 3.2G does not seem to show the
vulnerability as discussed on this list even though it contains the
vulnerable code.

% perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110
+OK QPOP (version 2.4) at machine starting. <32482.898994635@machine>
- -ERR Unknown command:
"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeee".
+OK Pop server at machine signing off.

And I get a log with that message.

Since I do not trust that there is not another way to exploit it, I
decided to rewrite it anyways until a patch from Qualcomm becomes
available.

% perl -e 'print "e"x2000,"\r\nQUIT\r\n";' | /usr/local/sbin/nc -i 2 localhost 110
+OK QPOP (version 2.4) at machine starting. <29494.898995337@machine>
- -ERR String too long
+OK Pop server at machine signing off.

It is a really ugly patch that replaces vsprintf with vfprintf and outputs
to a file and then reads in from that file.

*** pop_msg.c   Sat Jun 27 17:53:55 1998
- --- pop_msg.c.orig    Sat Jun 27 14:01:49 1998
***************
*** 35,43 ****
  #endif
      char                message[MAXLINELEN];

- -     FILE* vprint_file;
- -     char vprint_temp[101];
- -
      va_start(ap);
      p = va_arg(ap, POP *);
      stat = va_arg(ap, int);
- --- 35,40 ----
***************
*** 66,86 ****
      /*  Append the message (formatted, if necessary) */
      if (format)
  #ifdef HAVE_VPRINTF
!         vprint_file = tmpfile();
!         vfprintf(vprint_file,format,ap);
!         rewind(vprint_file);
!         fscanf(vprint_file, "%100s", mp);
!         while(fscanf(vprint_file, "%100s", vprint_temp) != EOF)
!         {
!            if (strlen(mp) + strlen(vprint_temp) + 4 > MAXLINELEN)
!            {
!               strcpy(mp, "String too long");
!               break;
!            }
!
!          strcat(mp, " ");
!            strcat(mp, vprint_temp);
!         }
  #else
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
- --- 63,69 ----
      /*  Append the message (formatted, if necessary) */
      if (format)
  #ifdef HAVE_VPRINTF
!         vsprintf(mp,format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
***************
*** 90,96 ****
  # endif
  #endif
      va_end(ap);
!
      /*  Log the message if debugging is turned on */
  #ifdef DEBUG
      if (p->debug && stat == POP_SUCCESS)
- --- 73,79 ----
  # endif
  #endif
      va_end(ap);
!
      /*  Log the message if debugging is turned on */
  #ifdef DEBUG
      if (p->debug && stat == POP_SUCCESS)

*** pop_log.c   Sat Jun 27 17:54:09 1998
- --- pop_log.c.orig    Sat Jun 27 17:10:10 1998
***************
*** 33,41 ****
      char    *   date_time;
      time_t    clock;

- -     FILE* vprint_file;
- -     char vprint_temp[101];
- -
      va_start(ap);
      p = va_arg(ap,POP *);
      stat = va_arg(ap,int);
- --- 33,38 ----
***************
*** 50,70 ****
  #endif

  #ifdef HAVE_VPRINTF
!         vprint_file = tmpfile();
!         vfprintf(vprint_file,format,ap);
!         rewind(vprint_file);
!         fscanf(vprint_file, "%100s", msgbuf);
!         while(fscanf(vprint_file, "%100s", vprint_temp) != EOF)
!         {
!            if (strlen(msgbuf) + strlen(vprint_temp) + 4 > MAXLINELEN)
!            {
!               strcpy(msgbuf, "String too long");
!               break;
!            }
!
!            strcat(msgbuf, " ");
!            strcat(msgbuf, vprint_temp);
!         }
  #else
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
- --- 47,53 ----
  #endif

  #ifdef HAVE_VPRINTF
!         vsprintf(msgbuf,format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);

And I also applied to UIDL patch given on this mailing list earlier today.

Benjamin J. Stassart
- ------------------------------------------------+
A great many people think they are thinking    |
when they are merely rearranging their         |
prejudices                                     |

-----BEGIN PGP SIGNATURE-----
Version: PGP 5.0
Charset: noconv

iQCVAwUBNZWdlpePz5nhUoJ9AQFsHAP7BaKCmfXZuq+0mYOwB7YKBMHNdcT8jnyK
V5NVfFKeP2QGgz8BPvZbWDFViBbuG2e4EFvORsahD0E+L5v8nY4h45XB38pHkO+C
7UsAcT+ouwhXWLIs3W0yKpHIAbdziLx1Zgxscjfqqauedt5+7wT1E6IZSJ+vmgRv
mSm8LiWpiiE=
=2ViR
-----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру