Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: SNS Research (vuln-devGREYHACK.COM)
Date: Fri Apr 13 2001 - 14:12:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !

    -= QPC POPd Buffer Overflow Vulnerability =-

    Release date: Saturday, April 14, 2001


    QPC's popd is the pop3 mailserver component of the company's
    QVT/NET product line for MS Windows.

    The popd and the rest of the QVT/Net product line is available
    from vendor QPC's website: http://www.qpc.com


    The pop daemon that ships with the QVT/NET software suite contains
    an unchecked buffer in the logon function. When a username or
    password of 584 bytes or more gets fed to the server the buffer
    will overflow and will trigger an access violation, after which
    the server dies.



    Vendor QPC was notified but has yet to respond.

    This was tested against QVT/Net Popd 4.20 coming with the QVT/Net
    5.0 suite, running on MS Win2k.


    Free sk8! (http://www.freesk8.org)

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!