RE: QPopper 4.0.x buffer overflow vulnerability
From: Jonathan A. Zdziarski (jonathan@networkdweebs.com)
Date: 03/12/03
- Previous message: error: "VPOPMail Account Administration (squirrel mail) version 0.9.7"
- In reply to: Jaroslaw Zachwieja: "Re: QPopper 4.0.x buffer overflow vulnerability"
- Next in thread: Torsten Mueller: "Re: QPopper 4.0.x buffer overflow vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jonathan A. Zdziarski" <jonathan@networkdweebs.com> To: "'Jaroslaw Zachwieja'" <grok@tnt.pl>, <bugtraq@securityfocus.com> Date: Wed, 12 Mar 2003 12:03:29 -0500
Chrooting qpopper is also a good workaround, as well as good practice.
Instructions can be found at http://www.networkdweebs.com/chroot.html
> -----Original Message-----
> From: Jaroslaw Zachwieja [mailto:grok@tnt.pl]
> Sent: Wednesday, March 12, 2003 8:20 AM
> To: bugtraq@securityfocus.com
> Subject: Re: QPopper 4.0.x buffer overflow vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On pon 10. marca 2003 14:31, Florian Heinz wrote:
>
> > http://nstx.dereference.de/snippets/qex.c
> > Feedback is welcome.
>
> Enforcing TLS/SSL is a temprorary workaround against script-kiddies -
> exploit (out-of-the-box) will not be able to authenticate.
>
> (there is a user foobar, with passwd "lalala" on the system)
>
> $ ./qex rootbox foobar lalala
> Phase 1: Seeking buffer size
> Connecting to xxx.xxx.xxx.xxx... Logging in... Could not log in. Did you
> provide a valid username/password-combination?
> Exiting due to error...
>
> that's becouse:
>
> $ telnet 0 110
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> +OK ready
> user foobar
> - -ERR [AUTH] You must use TLS/SSL or stronger authentication such as APOP
> to
> connect to this server
> quit
>
> Not a fix, but who sends plaintext passwords anyway :) Unfortunately, I
> must assume, that at some point some "friendly" soul will equip qex with
> TLS/SSL.
>
> What is the vendor response on that?
> - --
> grok
>
> GPG public key at http://www.keyserver.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE+bzP3ANulANzEW40RArDsAJ43VBZhYJXdhWsyGXT59LfwbJkH8wCgs+FW
> 8g4LLzXZ/D71rkaVjDRBR0c=
> =CVSC
> -----END PGP SIGNATURE-----
>
>
- Previous message: error: "VPOPMail Account Administration (squirrel mail) version 0.9.7"
- In reply to: Jaroslaw Zachwieja: "Re: QPopper 4.0.x buffer overflow vulnerability"
- Next in thread: Torsten Mueller: "Re: QPopper 4.0.x buffer overflow vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
