Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
patch for qpopper remote exploit bugRoy Hooper (rhooperCORP.CYBERUS.CA)
Sat, 27 Jun 1998 03:24:04 -0400
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Miquel van Smoorenburg: "Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT"
- Previous message: security-alertNETBSD.ORG: "NetBSD Security Advisory 1998-004: at(1) vulnerabilities."
- Next in thread: Andres Kroonmaa: "Re: patch for qpopper remote exploit bug"
This is a simple case of the author(s) of qpopper not using vsnprintf where they aught to have been. I have confirmed that qpopper-2.41beta1 is indeed vulnerable to a remote exploit due to buffer overrun. I have not actually tested the exploit, but have tested (and fixed) the buffer overrun in the copy of qpopper running here. The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy, as both have the vsnprintf function. This patch is not guaranteed to solve the problem, but appears to do so. *** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998 --- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998 *************** *** 47,53 **** #endif #ifdef HAVE_VPRINTF ! vsnprintf(msgbuf,sizeof(msgbuf),format,ap); #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); --- 47,53 ---- #endif #ifdef HAVE_VPRINTF ! vsprintf(msgbuf,format,ap); #else # ifdef PYRAMID (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6); *** qpopper2.41beta1/pop_msg.c Sat Jun 27 03:01:22 1998 --- qpopper2.41beta1-broken/pop_msg.c Sat Jun 27 02:59:05 1998 *************** *** 63,69 **** /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vsnprintf(mp,sizeof(message),format,ap); #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); --- 63,69 ---- /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF ! vsprintf(mp,format,ap); #else # ifdef PYRAMID (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); -- Roy Hooper Sr. Systems Administrator Cyberus Online Inc. -----Original Message----- From: Seth McGann <smmWPI.EDU> To: BUGTRAQnetspace.org <BUGTRAQnetspace.org> Date: Saturday, June 27, 1998 2:36 AM Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT >Its come to my attention that systems around the internet are being >exploited using a new remote overflow in Qualcomm's Popper server. Well, >lets clear a few things up: > >1. The working exploit was stolen from my development account, >subsequently MANY sites were cracked in short order. Much of Efnet was >compromised as power crazed script kiddies gained root access on IRCOP >boxes, giving themselves O-lines. > >2. This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far. >Other systems are most certainly vulnerable. Linux does not appear >vulnerable. To test, simply send the sever several thousand characters and >see if it crashed. Check the return address to see if it matches. > >3. Due to massive exploitation the proper authorities have most likely >been notified already. This is a bit of an emergency. > >4. You will NOT get the "exploit" from me, don't ask. If you think your >"eleet" enough, do it yourself. I admit I had some help, but it took a >while to figure out. > >5. The most obvious offender is the vsprintf() on line 66 of pop_msg.c. > >6. If you have a problem with my style, I'm sorry. I'm angry at both >myself and the members of #conflict who I hold directly responsible for >this breach. I will not name names, the offenders know who they are. > >7. When I have my head together I will post a patch tomorrow if one is not >available by then. > >8. For now, disable qpopper or choose another solution till qpopper is >secured. > >Thank you. > > > >Seth M. McGann / smmwpi.edu "Security is making it >http://www.wpi.edu/~smm to the bathroom in time." >KeyID: 2048/1024/E2501C80 >Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80 >