Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q4

Bugtraq Archives: Re: [lucid<img src="/imgs/at.gif" align="middle" border="0">TERRA.NEBULA.ORG: qpop3.0b20 and b TERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]">

Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]

Subject: Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]
From: Maurycy Prodeus (z33dTENET.PL)
Date: Fri Dec 17 1999 - 07:08:38 CST

Next message: Beto: "Re: ssh 1.2.27 exploit"
Previous message: Jarle Aase: "Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70"
Next in thread: Olaf Seibert: "Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]"
Maybe reply: Maurycy Prodeus: "Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]"
Reply: Olaf Seibert: "Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> These bug only affected 3.0 betas.
Bullshit ...;P
In pop_euidl() in file pop_uidl.c (qpop-2.53) :

} else {

        sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
        if (nl = index(buffer, NEWLINE)) *nl = 0;
        sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp));
        return (pop_msg (p,POP_SUCCESS, buffer)); <-- *here*
      }

It looks good , but .... ;P

pop_msg(POP *p, int stat, const char *format,...)

So this function need format and some other data.
Luckly for the greatest Qualcomm qpop changes privs so we have only gid mail ,
but if we have a non-shell account , we can "get" a shell ...
Ofcourse it's hard to exploit . ( probably we must change some ret ...and put
there address of shellcode but there is a few problems ... but general i think
it is POSSIBLE :] )

-= SOLUTION =-

I wrote patch on qpop-2.53 ...

-> cut here <-

--- pop_uidl.c Thu Oct 7 02:02:44 1999
+++ pop_uidl.c Sat Oct 9 20:34:00 1999
-59,7 +59,7

         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
         if (nl = index(buffer, NEWLINE)) *nl = 0;
- return (pop_msg (p,POP_SUCCESS, buffer));
+ return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
       }
     } else {
         /* yes, we can do this */
-149,7 +149,7
         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
         if (nl = index(buffer, NEWLINE)) *nl = 0;
         sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp));
- return (pop_msg (p,POP_SUCCESS, buffer));
+ return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
       }
     } else {
         /* yes, we can do this */

-> cut here <-

- Maurycy Prodeus , z33dtenet.pl -
*******************************************************************************
*
* z33dtenet.pl
*
* o Czyj to motor ?
* x To nie motor to Harley ...
* o Wiec czyj to Harley ?
* x Zeda ...
* <-- pulp fiction
*
*******************************************************************************
<--> I wish I was your SYSADM , just call :)

Next message: Beto: "Re: ssh 1.2.27 exploit"
Previous message: Jarle Aase: "Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70"
Next in thread: Olaf Seibert: "Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]"
Maybe reply: Maurycy Prodeus: "Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]"
Reply: Olaf Seibert: "Re: [lucidTERRA.NEBULA.ORG: qpop3.0b20 and below - notes and exploit]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Fri Dec 17 1999 - 11:38:47 CST