OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: remote root qmail-pop with vpopmail advis

Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd)

Subject: Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd)
From: iv0 (kboINTER7.COM)
Date: Sun Jan 23 2000 - 22:35:09 CST

I recommend upgrading to the latest version of vpopmail which fixes
the exploit. Pick up the current stable version:

http://www.inter7.com/vpopmail/

vchkpw - which authenticates a user with information from qmail-pop
up was storing the information in a staticly defined buffer. There
was no buffer over run checking done. Current stable version now
checks for buffer overruns in several places. A security
audit of the code is being done. Which it sorely needs.

Ken Jones
http://www.inter7.com/

Adam McKenna wrote:
>
> In that case, what would you recommend?
>
> --Adam
>
> On Sun, Jan 23, 2000 at 10:53:31PM -0500, Russell Nelson wrote:
> > > 5. Recommendation
> > >
> > > Impose the 40 character limitation specified by RFC1939 into qmail.
> > > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
> >
> > I don't recommend applying that patch. Every line of it is wrong. It
> > makes qmail-popup less secure, by inserting a call to syslog(), which
> > is a security disaster. It also sucks in the string library, which
> > includes the well-known security hole sprintf().
> >
> > --
> > -russ nelson <sigrussnelson.com> http://russnelson.com
> > Crynwr sells support for free software | PGPok | "Ask not what your country
> > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
> > Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
> >

This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 22:32:08 CST