Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Jun 1998 23:00:59 -0400 (EDT)
From:      spork <spork@super-g.com>
To:        "Aaron D. Gifford" <agifford@infowest.com>
Cc:        bugtraq@netspace.org, John Fraizer <tvo@APPCYB.COM>, security@FreeBSD.ORG
Subject:   Re: More problems with QPOPPER - <sigh>
Message-ID:  <Pine.BSF.3.96.980629225521.14127B-100000@super-g.inch.com>
In-Reply-To: <359749BB.8A412952@infowest.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hey, and if you use bulletins with the "BULLDB" option, look at some of
the junk you find in the database...  It should really only contain
usernames and the last bulletin they read, right?  Something odd is
happening here.

It looks OK for a while:

pebraguz
bright
agagescu
mgarwood
zandperl

Then you start seeing some odd things:

mmary.971113
16.nynext1.summary.971113

hmm.. not from GECOS, that's a bulletin title...

Then this:

chrisptt
-->>1Gdk/WhOsSj0o
christopher@foofoo.com
/home/chrisptt
/usr/local/bin/noshell
1chrispkpushkar

Nice, huh?

What's going on in pop_bull.c?

Charles Sprickman
spork@super-g.com
---- 

On Mon, 29 Jun 1998, Aaron D. Gifford wrote:

> John Fraizer wrote:
> > 
> > After applying all the patches with exception of the PAM patch in the
> > .RPM'd version of qpopper2.4.src,
> > I have located yet another hole in qpopper.
> > 
> > This popper was compiled with -DAUTH in the makefile.
> > 
> > Connecting to the popper and sending a line of garbage will now generate
> > the maximum permitted size
> > error.  Providing an INVALID username and sending a line of garbage (1000+
> > chars), does not segfault.  I
> > was beginning to relax.
> > 
> > [OverKill]:/$ telnet localhost pop3
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > +OK QPOP (version 2.4) at Victim.Com starting.
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > -ERR Command "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted
> > size.
> > user blah
> > +OK Password required for blah.
> > pass
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > 
> > -ERR Password supplied for "blah" is incorrect.
> > +OK Pop server at Victim.Com signing off.
> > Connection closed by foreign host.
> > 
> > I decided to try a long username:
> > 
> > [OverKill]:/$ telnet localhost pop3
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > +OK QPOP (version 2.4) at Victim.Com starting.
> > user
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > -ERR Argument 1 "xxxxxxxxxxxxxxxxx" (truncated) exceeds maximum permitted
> > size.
> > 
> > Handled it just fine.
> > 
> > Then, I decided to try a VALID username:
> > 
> > [OverKill]:/$ telnet localhost pop3
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > +OK QPOP (version 2.4) at Victim.Com starting.
> > user valid
> > +OK Password required for valid.
> > pass
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > Connection closed by foreign host.
> > 
> > It segfaulted and dumped core.
> > 
> > Damnit, Jim, I'm a Doctor not a C programmer!  I have managed to locate
> > the portion of the code that is bypassing the " -ERR Command
> > "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted size. " code
> > from the installed patches:
> > 
> > In pop_parse.c, we find:
> > 
> >           /*
> >            * This is kinda gross.  Passwords have to be parsed diffrently
> >            * as they may contain spaces.  If you think of a cleaner way,
> >            * do it.  The "p->pop_command[0] == 'p'" is so save a call to
> >            * strcmp() on ever call to pop_parse();  This parsing keeps
> >            * leading and trailing speces behind for the password command.
> >            */
> >           if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") ==
> > 0) {
> >             if (*mp != 0) {
> >               p->pop_parm[1] = mp;
> >               if (strlen(mp) > 0) {
> >                 mp = mp + strlen(mp) - 1;
> >                 while (*mp == 0xa || *mp == 0xd) *mp-- = 0;
> >               }
> > 
> > Looks like basically that if the parser sees that the command was actually
> > a password argument, it doesn't send it through the truncate code.
> 
> Looks like qpopper after the "if(p->pop_command..." bit assumes everything
> else in the buffer is the password except any trailing CR/LF characters, which
> it removes.  I cannot understand the "if (strlen(mp) > 0) {" test, because the
> previous "if (*mp != 0) {" test should guarantee that strlen() will always at
> least return 1.
> 
> For those who want to be consistent about limiting argument length using
> MAXPARMLEN, you can try this snippit instead of the above existing snippit in
> pop_parse.c:
> 
>  if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") == 0) {
>    if (*mp != 0) {
>        if (strlen(mp) > MAXPARMLEN) {
>          mp[MAXPARMLEN] = '\0';
>          pop_msg(p,POP_FAILURE,
>                  "Argument %d \"%s\" (truncated) exceeds maximum permitted
> size.",
>                  i+1, mp);
>          return(-1);
>        }
>      p->pop_parm[1] = mp;
>      mp = mp + strlen(mp) - 1;
>      while (*mp == 0xa || *mp == 0xd) *mp-- = 0; 
>      return(1);
>    } else
>      return (-1);
>  }
> 
> 
> PLEASE be aware that you need a large enough MAXPARMLEN defined in popper.h to
> handle large passwords or APOP depending on your individual needs.  I've been
> using 32 on my system, which should permit APOP to work.
> 
> 
> Another fun qpopper trivia fact for the security conscious: While looking at
> the APOP stuff, I see that it is possible to glean valid user names from sites
> using certain configurations of qpopper with APOP support.  For example:
> 
>   localhost# telnet localhost 110
>   +OK QPOP (version 2.41beta1) at localhost starting. 
> <18115.899106609@localhost>
>   APOP bogus-user 1638de71888f8c3ff023ac5c38621211
>   -ERR Password supplied for "bogus" is incorrect.
>   +OK Pop server at localhost signing off.
>   Connection closed by foreign host.
>   localhost# telnet localhost 110
>   +OK QPOP (version 2.41beta1) at localhost starting. 
> <18119.899106628@localhost>
>   APOP real-user 8463af56e9a5d72cc84012ad7748f92c
>   -ERR not authorized
>   +OK Pop server at localhost signing off.
>   Connection closed by foreign host.
>   localhost#
> 
> Nice.  In some cases where APOP support is compiled in but the APOP database
> does not exist, the error message on a valid user might be "-ERR POP
> authorization DB not available (real-user)" instead of the "-ERR not
> authorized" message.  I don't know if this would work for sites with properly
> configured APOP or not.  It worked on my own machine which does NOT use APOP
> but had APOP compiled in by default.
> 
> Aaron out.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980629225521.14127B-100000>