Date: Thu, 25 May 2000 02:00:34 +0400 (MSD) From: Dmitry Valdov <dv@dv.ru> To: Jeremy Shaffner <jer@jorsm.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit Message-ID: <Pine.BSF.3.95q.1000525015811.4888A-100000@xkis.kis.ru> In-Reply-To: <Pine.BSF.4.21.0005241649220.7700-100000@mercury.jorsm.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi!
oops, sorry. My fault. I've inserted "%s" before PO_SUCCESS, not before
"buffer".
Sorry again.
Dmitry.
On Wed, 24 May 2000, Jeremy Shaffner wrote:
> Date: Wed, 24 May 2000 16:52:01 -0500 (CDT)
> From: Jeremy Shaffner <jer@jorsm.com>
> To: Dmitry Valdov <dv@dv.ru>
> Cc: freebsd-security@FreeBSD.ORG
> Subject: Re: QPOPPER: Remote gid mail exploit
>
>
> I don't see that happening here:
>
> uidl 2
> +OK 2 AAAAAAAAAAAAAA
> euidl 2
> +OK 2 AAAAAAAAAAAAAA 481 %p%p%p%p%p%p%p%p@foo.domain.com
>
> Without the patch you get the behavior described in the advisory:
>
> +OK 2 AAAAAAAAAAAAAA 470
> 0xbfbfd0340x804fd640xbfbfd0340x1d60x8052e4e0xbfbfd86c0x
> 80570280x5@foo.domain.com
>
>
> -Jeremy
>
> On Thu, 25 May 2000, Dmitry Valdov wrote:
>
> > Hi!
> >
> > This patch doesn't work. popper exiting with sig11 when user send UIDL xxx
> > command.
> >
> > Dmitry.
> >
> >
> > > Or you can manually patch it by doing the following:
> > >
> > > At lines 152 and 62 from pop_uidl.c, replace:
> > > - return (pop_msg (p,POP_SUCCESS, buffer));
> > > to:
> > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> > >
> > >
> > > Here is the resulting patch:
> > >
> > >
> > > ---------8<--------
> > >
> > > --- pop_uidl.c.orig Wed May 24 15:58:53 2000
> > > +++ pop_uidl.c Wed May 24 16:21:56 2000
> > > @@ -59,7 +59,7 @@
> > >
> > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
> > > if (nl = index(buffer, NEWLINE)) *nl = 0;
> > > - return (pop_msg (p,POP_SUCCESS, buffer));
> > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> > > }
> > > } else {
> > > /* yes, we can do this */
> > > @@ -149,7 +149,7 @@
> > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
> > > if (nl = index(buffer, NEWLINE)) *nl = 0;
> > > sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,
> > > mp));
> > > - return (pop_msg (p,POP_SUCCESS, buffer));
> > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> > > }
> > > } else {
> > > /* yes, we can do this */
> > >
> > > ------->8----------
> > >
>
>
> ---
> Jeremy Shaffner
> System Administrator
> JORSM Internet
> jer@jorsm.com
> http://www.jorsm.com/~jer/pgp.key
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.1000525015811.4888A-100000>