OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: KF (dotslashsnosoft.com)
Date: Tue Jun 05 2001 - 20:42:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Heres the first post on this issue that I saw ... I worked to exploit it
    but it actualy did truncate the string somehow... This was on a version
    prior to 4.0.2 I believe... I had the same result as Optium, I was
    unable to write past the edx register... the logs for syslog as I recall
    stated the string was too long and that it was truncated down to a
    certain length. Perhaps Optium has more input?

    -KF

    To:
                        Vuln-Dev
     Subject:
                        Qpopper 4.0 Buffer Overflow
     Date:
                        Fri Apr 20 2001 03:15:29
     Author:
                        Optium < shatanihug.co.nz >
     Message-ID:
                        <20010420031529.5352.qmailsecurityfocus.com>

    Recently I came across a buffer overflow in qpop4.0.
    The overflow occures when the input for the
    command "user" is above 63 chars long. I was not
    able to overflow beyond the edx due to what seems
    like char filtering beyond a curtain point (being 64).

    example :
     Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    +OK
    user
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAA
    Connection closed by foreign host.

    Optium

    Florian Weimer wrote:
    >
    > Roman Drahtmueller <drahtsuse.de> writes:
    >
    > > We hope that this information is accurate. Version 4.0.2 is not on the ftp
    > > server any more, and there is no patch from 4.0.2 to 4.0.3.
    > > We currently feel handicapped in our efforts to check the code for the
    > > changes wrt the buffer overflow.
    >
    > Fortunately, there are mirrors. The problem is that 4.0.2 discovered
    > the buffer overflow attempt, even logged it via syslog(), but failed
    > to actually truncate the string and copied the original one to a
    > buffer of bounded length.
    >
    > However, I agree that removing the previous version and not providing
    > a diff is extremely counterproductive.
    >
    > --
    > Florian Weimer Florian.WeimerRUS.Uni-Stuttgart.DE
    > University of Stuttgart http://cert.uni-stuttgart.de/
    > RUS-CERT +49-711-685-5973/fax +49-711-685-5898