Date: Mon, 29 Jun 1998 02:00:59 -0600 From: "Aaron D. Gifford" <agifford@infowest.com> To: bugtraq@netspace.org Cc: John Fraizer <tvo@APPCYB.COM>, security@FreeBSD.ORG Subject: Re: More problems with QPOPPER - <sigh> Message-ID: <359749BB.8A412952@infowest.com> References: <Pine.LNX.3.95.980628202454.13116A-100000@Noldor>
next in thread | previous in thread | raw e-mail | index | archive | help
John Fraizer wrote:
>
> After applying all the patches with exception of the PAM patch in the
> .RPM'd version of qpopper2.4.src,
> I have located yet another hole in qpopper.
>
> This popper was compiled with -DAUTH in the makefile.
>
> Connecting to the popper and sending a line of garbage will now generate
> the maximum permitted size
> error. Providing an INVALID username and sending a line of garbage (1000+
> chars), does not segfault. I
> was beginning to relax.
>
> [OverKill]:/$ telnet localhost pop3
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> +OK QPOP (version 2.4) at Victim.Com starting.
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> -ERR Command "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted
> size.
> user blah
> +OK Password required for blah.
> pass
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> -ERR Password supplied for "blah" is incorrect.
> +OK Pop server at Victim.Com signing off.
> Connection closed by foreign host.
>
> I decided to try a long username:
>
> [OverKill]:/$ telnet localhost pop3
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> +OK QPOP (version 2.4) at Victim.Com starting.
> user
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> -ERR Argument 1 "xxxxxxxxxxxxxxxxx" (truncated) exceeds maximum permitted
> size.
>
> Handled it just fine.
>
> Then, I decided to try a VALID username:
>
> [OverKill]:/$ telnet localhost pop3
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> +OK QPOP (version 2.4) at Victim.Com starting.
> user valid
> +OK Password required for valid.
> pass
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Connection closed by foreign host.
>
> It segfaulted and dumped core.
>
> Damnit, Jim, I'm a Doctor not a C programmer! I have managed to locate
> the portion of the code that is bypassing the " -ERR Command
> "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted size. " code
> from the installed patches:
>
> In pop_parse.c, we find:
>
> /*
> * This is kinda gross. Passwords have to be parsed diffrently
> * as they may contain spaces. If you think of a cleaner way,
> * do it. The "p->pop_command[0] == 'p'" is so save a call to
> * strcmp() on ever call to pop_parse(); This parsing keeps
> * leading and trailing speces behind for the password command.
> */
> if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") ==
> 0) {
> if (*mp != 0) {
> p->pop_parm[1] = mp;
> if (strlen(mp) > 0) {
> mp = mp + strlen(mp) - 1;
> while (*mp == 0xa || *mp == 0xd) *mp-- = 0;
> }
>
> Looks like basically that if the parser sees that the command was actually
> a password argument, it doesn't send it through the truncate code.
Looks like qpopper after the "if(p->pop_command..." bit assumes everything
else in the buffer is the password except any trailing CR/LF characters, which
it removes. I cannot understand the "if (strlen(mp) > 0) {" test, because the
previous "if (*mp != 0) {" test should guarantee that strlen() will always at
least return 1.
For those who want to be consistent about limiting argument length using
MAXPARMLEN, you can try this snippit instead of the above existing snippit in
pop_parse.c:
if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") == 0) {
if (*mp != 0) {
if (strlen(mp) > MAXPARMLEN) {
mp[MAXPARMLEN] = '\0';
pop_msg(p,POP_FAILURE,
"Argument %d \"%s\" (truncated) exceeds maximum permitted
size.",
i+1, mp);
return(-1);
}
p->pop_parm[1] = mp;
mp = mp + strlen(mp) - 1;
while (*mp == 0xa || *mp == 0xd) *mp-- = 0;
return(1);
} else
return (-1);
}
PLEASE be aware that you need a large enough MAXPARMLEN defined in popper.h to
handle large passwords or APOP depending on your individual needs. I've been
using 32 on my system, which should permit APOP to work.
Another fun qpopper trivia fact for the security conscious: While looking at
the APOP stuff, I see that it is possible to glean valid user names from sites
using certain configurations of qpopper with APOP support. For example:
localhost# telnet localhost 110
+OK QPOP (version 2.41beta1) at localhost starting.
<18115.899106609@localhost>
APOP bogus-user 1638de71888f8c3ff023ac5c38621211
-ERR Password supplied for "bogus" is incorrect.
+OK Pop server at localhost signing off.
Connection closed by foreign host.
localhost# telnet localhost 110
+OK QPOP (version 2.41beta1) at localhost starting.
<18119.899106628@localhost>
APOP real-user 8463af56e9a5d72cc84012ad7748f92c
-ERR not authorized
+OK Pop server at localhost signing off.
Connection closed by foreign host.
localhost#
Nice. In some cases where APOP support is compiled in but the APOP database
does not exist, the error message on a valid user might be "-ERR POP
authorization DB not available (real-user)" instead of the "-ERR not
authorized" message. I don't know if this would work for sites with properly
configured APOP or not. It worked on my own machine which does NOT use APOP
but had APOP compiled in by default.
Aaron out.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?359749BB.8A412952>