[UNIX] POPclient DoS Due To An Off-By-One Overflow Condition

• Previous message: SecuriTeam: "[UNIX] phpMyAdmin PHP Code Injection (left.php)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Jul 2004 17:36:46 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  POPclient DoS Due To An Off-By-One Overflow Condition
------------------------------------------------------------------------

SUMMARY

" <http://man.he.net/man1/popclient> popclient is a Post Office Protocol
compliant mail retrieval client that supports both POP2 (as specified in
RFC 937) and POP3 (RFC 1725)". An off-by-one condition exists in the POP3
handler code present in this application. By crafting a malicious Email a
remote attacker may cause a denial of service against users of this
software.

DETAILS

Vulnerable Systems:
 * popclient version 3.0b6

The problem originates from the POP3_readmsg() function in the pop3.c
source file:
 int POP3_readmsg (socket,mboxfd,topipe)
        int socket;
        int mboxfd;
        int topipe;
        {
[1] char buf [MSGBUFSIZE];
          char *bufp;
          char savec;
          char fromBuf[MSGBUFSIZE];
          int needFrom;
          int lines,sizeticker;
          time_t now;
          /* This keeps the retrieved message count for display purposes
*/
          static int msgnum = 0;
        
          /* set up for status message if outlevel allows it */
          if (outlevel > O_SILENT && outlevel < O_VERBOSE) {
            fprintf(stderr,"reading message %d",++msgnum);
            /* won't do the '...' if retrieved messages are being sent to
stdout */
            if (mboxfd == 1)
              fputs(".\n",stderr);
            else
              ;
          }
          else
            ;
        
          /* read the message content from the server */
          lines = 0;
          sizeticker = MSGBUFSIZE;
          while (1) {
[2] if (SockGets(socket,buf,sizeof(buf)) < 0)
              return(PS_SOCKET);
            bufp = buf;
            if (*bufp == '.') {
              bufp++;
              if (*bufp == 0)
                break; /* end of message */
            }
[3] strcat(bufp,"\n");

A buffer of size MSGBUFSIZE is declared at [1]. At [2], the function
SockGets is called, which returns a line of input from the message into
this buffer. In the case of a long line, this will return at maximum a
string of (MSGBUFSIZE - 1) characters plus the null terminator required.

In this case, then the strcat is performed at [3], the null is overwritten
with the '\n' character, and a new null is placed one byte after the
buffer, partially overwriting the saved stack pointer. When the function
returns this leads to an application crash, however there does not appear
to be any possibility of influencing this behavior to cause anything other
than a DoS.

ADDITIONAL INFORMATION

The information has been provided by <mailto:incidents@oneguard.com> Dean
White.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] phpMyAdmin PHP Code Injection (left.php)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]