Date: Sat, 27 Jun 1998 02:21:02 -0700 (PDT) From: bow <bow@bow.net> To: Igor Roshchin <igor@physics.uiuc.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT Message-ID: <v03110701b1ba0652ee75@[204.210.38.36]> In-Reply-To: <199806270818.DAA19951@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a realllly quick fix.
There is probably 100 ways to do it better, but this is better then turning
qpopper off.
-bow
*** qpopper2.41beta1-qfix/pop_msg.c Wed Nov 19 13:20:38 1997
--- qpopper2.41beta1/pop_msg.c Sat Jun 27 02:15:59 1998
***************
*** 63,74 ****
/* Append the message (formatted, if necessary) */
if (format)
#ifdef HAVE_VPRINTF
! vsprintf(mp,format,ap);
#else
# ifdef PYRAMID
! (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
# else
! (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
((int *)ap)[3],((int *)ap)[4]);
# endif
#endif
--- 63,74 ----
/* Append the message (formatted, if necessary) */
if (format)
#ifdef HAVE_VPRINTF
! vsnprintf(mp,MAXLINELEN-8,format,ap);
#else
# ifdef PYRAMID
! (void)snprintf(mp,MAXLINELEN-8,format, arg1, arg2, arg3, arg4,
arg5, arg6);
# else
! (void)snprintf(mp,MAXLINELEN-8,format,((int *)ap)[0],((int
*)ap)[1],((int *)ap)[2],
((int *)ap)[3],((int *)ap)[4]);
# endif
#endif
>This dumps core on a 2.2.5-RELEASE box.
>After sending over 40 thousand of symbols I just kill -HUP the
>connection to the popper, and it dumps the core.
>I don't know how exploitable it though.
>
>Anybody can come up with a quick patch ?
>
>
>Thanks,
>IgoR
>
>
>>From owner-bugtraq@NETSPACE.ORG Sat Jun 27 01:32:44 1998
>Return-Path: <owner-bugtraq@NETSPACE.ORG>
>Received: from brimstone.netspace.org (brimstone.netspace.org
>[128.148.157.143])
> by alecto.physics.uiuc.edu (8.9.0/8.9.0) with ESMTP id BAA09012
> for <igor@ALECTO.PHYSICS.UIUC.EDU>; Sat, 27 Jun 1998 01:32:43 -0500
>(CDT)
>Received: from unknown@netspace.org (port 24361 [128.148.157.6]) by
>brimstone.netspace.org with ESMTP id <96303-23463>; Sat, 27 Jun 1998
>02:33:46 -0400
>Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c)
>with
> spool id 1429436 for BUGTRAQ@NETSPACE.ORG; Sat, 27 Jun 1998 02:31:20
> -0400
>Received: from brimstone.netspace.org (brimstone.netspace.org
> [128.148.157.143]) by netspace.org (8.8.7/8.8.7) with ESMTP id
> CAA06737 for <BUGTRAQ@NETSPACE.ORG>; Sat, 27 Jun 1998 02:30:07 -0400
>Received: from unknown@netspace.org (port 24361 [128.148.157.6]) by
> brimstone.netspace.org with ESMTP id <80634-23467>; Sat, 27 Jun 1998
> 02:32:05 -0400
>Approved-By: aleph1@DFW.NET
>Received: from musket.eliwhitney.org ([209.182.72.70]) by netspace.org
> (8.8.7/8.8.7) with ESMTP id BAA28453 for <BUGTRAQ@netspace.org>;
>Sat,
> 27 Jun 1998 01:02:39 -0400
>Received: from dell166 ([199.174.185.18]) by musket.eliwhitney.org (Netscape
> Messaging Server 3.5) with SMTP id 373 for <BUGTRAQ@netspace.org>;
> Sat, 27 Jun 1998 01:04:21 -0400
>X-Sender: X-Mailer:
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>Message-ID: <19980627050419750.AAA323.373@dell166>
>Date: Sat, 27 Jun 1998 00:58:24 -0400
>Reply-To: Seth McGann <smm@WPI.EDU>
>Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
>From: Seth McGann <smm@WPI.EDU>
>Subject: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT
>To: BUGTRAQ@NETSPACE.ORG
>Status: RO
>
>Its come to my attention that systems around the internet are being
>exploited using a new remote overflow in Qualcomm's Popper server. Well,
>lets clear a few things up:
>
>1. The working exploit was stolen from my development account,
>subsequently MANY sites were cracked in short order. Much of Efnet was
>compromised as power crazed script kiddies gained root access on IRCOP
>boxes, giving themselves O-lines.
>
>2. This vulnerability effects FreeBSD, OpenBSD, and Solaris x86 so far.
>Other systems are most certainly vulnerable. Linux does not appear
>vulnerable. To test, simply send the sever several thousand characters and
>see if it crashed. Check the return address to see if it matches.
>
>3. Due to massive exploitation the proper authorities have most likely
>been notified already. This is a bit of an emergency.
>
>4. You will NOT get the "exploit" from me, don't ask. If you think your
>"eleet" enough, do it yourself. I admit I had some help, but it took a
>while to figure out.
>
>5. The most obvious offender is the vsprintf() on line 66 of pop_msg.c.
>
>6. If you have a problem with my style, I'm sorry. I'm angry at both
>myself and the members of #conflict who I hold directly responsible for
>this breach. I will not name names, the offenders know who they are.
>
>7. When I have my head together I will post a patch tomorrow if one is not
>available by then.
>
>8. For now, disable qpopper or choose another solution till qpopper is
>secured.
>
>Thank you.
>
>
>
>Seth M. McGann / smm@wpi.edu "Security is making it
>http://www.wpi.edu/~smm to the bathroom in time."
>KeyID: 2048/1024/E2501C80
>Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v03110701b1ba0652ee75>