Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_2

Bugtraq archives for 2nd quarter (Mar-Jun) 1997: Re: CPSN 4-970424: Possible buffer overflow in pop3d

Re: CPSN 4-970424: Possible buffer overflow in pop3d

Derric Scott (dtscottSCOTT.NET)
Sun, 27 Apr 1997 22:33:11 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tim Newsham: "Re: Smashing the Stack: prevention?"
Previous message: Andrew G. Morgan: "Re: Overflow in xlock"
In reply to: George Staikos: "Re: CPSN 4-970424: Possible buffer overflow in pop3d"
Next in thread: Johannes Erdfelt: "Re: CPSN 4-970424: Possible buffer overflow in pop3d"

Hello:

While I don't profess to be the keeper of BSD POP3d, I have made recent
changes and made them available.  So....  I took a very quick look and
changed that "offending" strcpy to a strncpy.  I'll soon put 1.005f
up on:  ftp://ftp.scott.net/pub/linux/mail

HOWEVER:

Is this security notice based on an exploit or is it just from examination
of the code.  My cursory glance indicates that there is no real threat from
that strcpy because the length of the input has already been checked before
execution reaches this point.  Ie:
        FUNCTION: svr_auth(state,inbuf), has the "offending" line:
                        strcpy(cli_user,inbuf);
        BUT:  svr_auth is called from MAIN with:
                        svr_state = svr_auth(svr_state,cli_buf);
        where cli_buf is read previously from stdin with:
                        if (fgetl(cli_buf,CLI_BUFSIZ,stdin) == NULL)

Now this machine doesn't have a manpage for "fgetl" but, from the arguments,
it looks like it will check the length...  so is there some OTHER way for
the bad guy to get the machine code into the buffer?  ALSO, cli_buf is
further worked on before that svr_auth call is made - the command is
shifted to lower case, it is scanned for a CR and trailing whitespace
is removed, etc. which may make it more difficult to put "code" in there.

Admittedly I scanned it very quickly, but it does look like the length of
the input is checked in "main."

Later!

Derric

> On Sat, 26 Apr 1997, Corinne Posse wrote:
>
> > ************** Corinne Posse Security Notice  **************
> > Issue Number 4-970424
> > Topic: Possible buffer overflow in pop3d
> > **************  http://corinne.mac.edu/posse  **************
> >
> > *pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow*
> >
> > Affected Sites:
> > Systems running OLD versions of pop3d, namely 1.00.4,
> > based on the "original" BSD 4.3 Virtual VAX pop3d by Katie Stevens. This
>
>    This code has not been changed as of pop3d-1.005e, which was released
> January 19, 1997, and thus it still appears to be vulnerable.  As far as
> I know, this is the latest release of the BSD 4.3 based pop3d.
>
> George
>


--
Derric Scott          Scott Network Services, Inc.         P. O. Box 361353
derricscott.net           (205)987-5889               Birmingham, AL 35236

Next message: Tim Newsham: "Re: Smashing the Stack: prevention?"
Previous message: Andrew G. Morgan: "Re: Overflow in xlock"
In reply to: George Staikos: "Re: CPSN 4-970424: Possible buffer overflow in pop3d"
Next in thread: Johannes Erdfelt: "Re: CPSN 4-970424: Possible buffer overflow in pop3d"