![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 30 Nov 1999 15:34:21 -0800 From: Qpopper Support <qpopper@QUALCOMM.COM> Subject: Re: serious Qpopper 3.0 vulnerability To: BUGTRAQ@SECURITYFOCUS.COM This is fixed in qpopper3.0b22, which is now available. It would have been nice if Mixter had reported this to <qpopper@qualcomm.com> first. ---------- Forwarded message ---------- Date: Tue, 30 Nov 1999 01:53:11 +0100 From: Mixter <mixter@NEWYORKOFFICE.COM> To: BUGTRAQ@SECURITYFOCUS.COM Subject: serious Qpopper 3.0 vulnerability Greetings, There is a remote buffer overflow in the qpop 3.0 server code that can lead to remote root compromise. Exploit attached. Vulnerable versions are all versions of qpop 3.0b, affected operating systems are _all_ systems that run it. Versions 2.52 and 2.53 do not contain this bug. The latest version available is 3.0b20, which is vulnerable, along with all previous 3.0 versions. I advise everyone running qpop3.0b servers to shut down the server IMMEDIATELY by disabling the entry in inetd.conf and then downgrading to v2.53 or another program until an official patch has been released. Details: The buffer overflow(s) are present in pop_msg.c (sounds familiar..) starting at line 68. All configurations and different builds seem to be vulnerable, as either vsprintf or sprintf are used, which both do not check bounds on the input buffers for each argument. Exploiting: The overflow code should not contain characters 0x0c/x17/x20, because it would get interpreted as more than one argument and hence fail. Patching: I included a small patch. You should only use inofficial patches if you totally need to use version 3.0, otherwise downgrade and wait for a patch from Qualcomm. IF you patch this by yourself, please consider that the buffer pointer CHANGES and the buffer is about 30 bytes LESS than the defined MAXLINELEN!! PS: The installation file suggests to run qpopper without tcpd, e.g.: pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s I would NOT suggest doing it that way. Use: pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s instead. At least for me it works behind a tcp wrapper, and that way, you can use access control and every connection _attempt_ gets logged. Mixter --- end forwarded text