OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: patch for qpopper remote exploit bug

patch for qpopper remote exploit bug

Roy Hooper (rhooperCORP.CYBERUS.CA)
Sat, 27 Jun 1998 03:24:04 -0400

This is a simple case of the author(s) of qpopper not using vsnprintf where
they aught to have been.  I have confirmed that qpopper-2.41beta1 is indeed
vulnerable to a remote exploit due to buffer overrun.  I have not actually
tested the exploit, but have tested (and fixed) the buffer overrun in the
copy of qpopper running here.

The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy,
as both have the vsnprintf function.  This patch is not guaranteed to solve
the problem, but appears to do so.

*** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998
--- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998
***************
*** 47,53 ****
  #endif

  #ifdef HAVE_VPRINTF
!         vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
--- 47,53 ----
  #endif

  #ifdef HAVE_VPRINTF
!         vsprintf(msgbuf,format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
*** qpopper2.41beta1/pop_msg.c Sat Jun 27 03:01:22 1998
--- qpopper2.41beta1-broken/pop_msg.c Sat Jun 27 02:59:05 1998
***************
*** 63,69 ****
      /*  Append the message (formatted, if necessary) */
      if (format)
  #ifdef HAVE_VPRINTF
!         vsnprintf(mp,sizeof(message),format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
--- 63,69 ----
      /*  Append the message (formatted, if necessary) */
      if (format)
  #ifdef HAVE_VPRINTF
!         vsprintf(mp,format,ap);
  #else
  # ifdef PYRAMID
          (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);

--
Roy Hooper
Sr. Systems Administrator
Cyberus Online Inc.

-----Original Message-----
From: Seth McGann <smmWPI.EDU>
To: BUGTRAQnetspace.org <BUGTRAQnetspace.org>
Date: Saturday, June 27, 1998 2:36 AM
Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT


>Its come to my attention that systems around the internet are being
>exploited using a new remote overflow in Qualcomm's Popper server.  Well,
>lets clear a few things up:
>
>1.  The working exploit was stolen from my development account,
>subsequently MANY sites were cracked in short order.  Much of Efnet was
>compromised as power crazed script kiddies gained root access on IRCOP
>boxes, giving themselves O-lines.
>
>2.  This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far.
>Other systems are most certainly vulnerable.  Linux does not appear
>vulnerable.  To test, simply send the sever several thousand characters and
>see if it crashed.  Check the return address to see if it matches.
>
>3.  Due to massive exploitation the proper authorities have most likely
>been notified already.  This is a bit of an emergency.
>
>4.  You will NOT get the "exploit" from me, don't ask.  If you think your
>"eleet" enough, do it yourself.  I admit I had some help, but it took a
>while to figure out.
>
>5.  The most obvious offender is the vsprintf() on line 66 of pop_msg.c.
>
>6.  If you have a problem with my style, I'm sorry.  I'm angry at both
>myself and the members of #conflict who I hold directly responsible for
>this breach.  I will not name names, the offenders know who they are.
>
>7.  When I have my head together I will post a patch tomorrow if one is not
>available by then.
>
>8.  For now, disable qpopper or choose another solution till qpopper is
>secured.
>
>Thank you.
>
>
>
>Seth M. McGann / smmwpi.edu        "Security is making it
>http://www.wpi.edu/~smm              to the bathroom in time."
>KeyID: 2048/1024/E2501C80
>Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80
>