Date: Sat, 27 Jun 1998 14:28:52 -0500 (CDT) From: Igor Roshchin <igor@physics.uiuc.edu> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT Message-ID: <199806271928.OAA00340@alecto.physics.uiuc.edu>
next in thread | raw e-mail | index | archive | help
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
> > Jordan K. Hubbard wrote:
> > >
> > >
> > > I've already committed a slightly more intelligent fix to this
> > > problem. Thanks!
> > >
> >
> > But it doesn't work
> Then there is more than one overflow, unless you can show me precisely
> why the change I've already made "doesn't work?" - what you've shown
> me so far could come from any number of other places in the code and
> I never claimed to fix *all* potential overflows, just that one.
> - Jordan
THere seems to be yet another similar buffer overflow
in pop_log.c
(Credit to Tom Brown <tbrown@BAREMETAL.COM>,
Roy Hooper <rhooper@CORP.CYBERUS.CA>,
and Miquel van Smoorenburg <miquels@CISTRON.NL> who posted it to BUGTRAQ)
#ifdef HAVE_VPRINTF
vsprintf(msgbuf,format,ap);
#else
M.v.S also noticed yet another overflow.
His message is below.
IgoR
PS.
Sorry for duplicating BUGTRAQ messages, especially,
if Jordan and others are already working on this fix, having read
those BUGTRAQ postings.
================ 8< =======================
>From owner-bugtraq@NETSPACE.ORG Sat Jun 27 11:11:32 1998
References: <19980627050419750.AAA323.373@dell166>
Message-ID: <6n2t2q$398$1@Q.cistron.nl>
Date: Sat, 27 Jun 1998 15:46:02 +0200
Reply-To: Miquel van Smoorenburg <miquels@CISTRON.NL>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Miquel van Smoorenburg <miquels@CISTRON.NL>
Organization: Cistron Internet ervices B.V.
Subject: Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
To: BUGTRAQ@NETSPACE.ORG
In article <19980627050419750.AAA323.373@dell166>,
Seth McGann <smm@WPI.EDU> wrote:
>Its come to my attention that systems around the internet are being
>exploited using a new remote overflow in Qualcomm's Popper server. Well,
Oops! Here's a fix, that also fixes another thing I noted: buffer overflow
in X-UIDL processing (compromise an account by sending mail to it ..)
You need to put "HAVE_VSNPRINTF" in popper.h yourself if your O/S is
not Linux and it supports vsnprintf()
Patch relative to qpopper-2.3, the latest free version:
diff -ruN qpopper-2.3.orig/pop_dropcopy.c qpopper-2.3/pop_dropcopy.c
--- qpopper-2.3.orig/pop_dropcopy.c Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_dropcopy.c Sat Jun 27 15:33:07 1998
@@ -462,6 +462,9 @@
} else
cp = "";
+ /* Make UIDL not longer then 128 chars, we use it
+ in sprintf() later on */
+ if (strlen(cp) >= 128) cp[127] = 0;
mp->uidl_str = (char *)strdup(cp);
mp->length += nchar + 1;
p->drop_size += nchar + 1;
diff -ruN qpopper-2.3.orig/pop_log.c qpopper-2.3/pop_log.c
--- qpopper-2.3.orig/pop_log.c Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_log.c Sat Jun 27 15:33:07 1998
@@ -18,7 +18,11 @@
* log: Make a log entry
*/
+#ifdef HAVE_VSNPRINTF
static char msgbuf[MAXLINELEN];
+#else
+static char msgbuf[MAXLINELEN*4];
+#endif
pop_log(va_alist)
va_dcl
@@ -46,6 +50,9 @@
arg6 = va_arg(ap, char *);
#endif
+#ifdef HAVE_VSNPRINTF
+ vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
+#else
#ifdef HAVE_VSPRINTF
vsprintf(msgbuf,format,ap);
#else
@@ -57,6 +64,7 @@
# endif
va_end(ap);
#endif
+#endif
if (p->debug && p->trace) {
clock = time(0);
@@ -67,6 +75,8 @@
(void)fflush(p->trace);
}
else {
+ /* Protect syslog from too long messages */
+ if (strlen(msgbuf) >= 512) msgbuf[511] = 0;
syslog (stat,"%s",msgbuf);
}
diff -ruN qpopper-2.3.orig/pop_msg.c qpopper-2.3/pop_msg.c
--- qpopper-2.3.orig/pop_msg.c Sat Mar 29 05:30:36 1997
+++ qpopper-2.3/pop_msg.c Sat Jun 27 15:33:07 1998
@@ -34,7 +34,11 @@
#ifdef PYRAMID
char * arg1, *arg2, *arg3, *arg4, *arg5, *arg6;
#endif
+#ifdef HAVE_VSNPRINTF
char message[MAXLINELEN];
+#else
+ char message[MAXLINELEN * 4];
+#endif
va_start(ap);
p = va_arg(ap, POP *);
@@ -63,6 +67,9 @@
/* Append the message (formatted, if necessary) */
if (format)
+#ifdef HAVE_VSNPRINTF
+ vsnprintf(mp,sizeof(message) - strlen(mp) - 1, format,ap);
+#else
#ifdef HAVE_VSPRINTF
vsprintf(mp,format,ap);
#else
@@ -72,6 +79,7 @@
(void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
((int *)ap)[3],((int *)ap)[4]);
# endif
+#endif
#endif
va_end(ap);
diff -ruN qpopper-2.3.orig/popper.h qpopper-2.3/popper.h
--- qpopper-2.3.orig/popper.h Mon Mar 31 22:10:18 1997
+++ qpopper-2.3/popper.h Sat Jun 27 15:33:56 1998
@@ -128,6 +128,7 @@
#endif
#ifdef LINUX
+# define HAVE_VSNPRINTF
# define POP_MAILDIR "/var/spool/mail"
# define POP_DROP "/var/spool/mail/.%s.pop"
# define POP_TMPDROP "/var/spool/mail/tmpXXXXXX"
--
Miquel van Smoorenburg | Our vision is to speed up time,
miquels@cistron.nl | eventually eliminating it.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806271928.OAA00340>