Re: QPopper 4.0.x buffer overflow vulnerability

From: Harald Hellmuth (hh@hostserver.de)
Date: 03/13/03

  • Next message: Muhammad Faisal Rauf Danka: "Fwd: CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares" 
    Date: Thu, 13 Mar 2003 08:12:47 +0100
From: Harald Hellmuth <hh@hostserver.de>
To: Randall Gellens <rg_public.1@flagg.qualcomm.com>, bugtraq@securityfocus.com

    On Tue, 11 Mar 2003 19:05:51 -0800
    Randall Gellens <rg_public.1@flagg.qualcomm.com> wrote:

    > The first I heard of the problem was this morning. Was any notice
    > sent to qpopper-bugs@qualcomm.com or qpopper-patches@qualcomm.com in
    > advance of the posting here? If so, please let me know the details
    > so I can see what happened to the message. If not, I'd like to know
    > why.
    >
    > A fixed Qpopper (version 4.0.5fc2) is available now at
    > <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>. I plan on
    > releasing 4.0.5 final tomorrow unless I hear of any problems with
    > 4.0.5fc2.
    >
    > --
    > Randall Gellens
    > rg_public.1@flagg.qualcomm.com
    > Opinions are personal; facts are suspect; I speak for myself only

    Hello,

    Yesterday(2003-03-12) I've sent the following email to qpopper-bugs@qualcomm.com:

    ------------------------------ snip ---------------------------------------
    Dear Sir or Madam,

    Florian Heinz posted an exploit to gain shell access through qpopper.
    See http://nstx.dereference.de/snippets/qex.c.
    The reason is an unterminated bufferstring in Qvsnprintf.

    I looked at version 4.05fc2 and there is a change, but i think that
    change isn't correct.

    /* From File common/snprintf.c */
    if ( nSize == 0 && *p != '\0' )
        {
            *s = '\0';
            return -1;
        }
        else
            return ( (n-1) - nSize );

    /* when string that should be written to the buffer fits exactly,
     * than there will no Zero-Byte be written to buffer, cause the for
     * loop terminates when nSize is 0 and the terminating '\0' of p is not
     * copied to buffer ;-(
    */

    Ithink, it should be written as :

    if ( nSize || *p=='\0')
       {
            *s++ = *p;
            return ( (n-1) - nSize );
        }
    else{
           *s++ = '\0';
           return -1;
        }

    Please excuse my bad english.

    regards

    Harald Hellmuth
    ------------------------------ snap ---------------------------------------

    with best regards 

    -- 
Harald Hellmuth
E-Mail: hh@hostserver.de
  • Next message: Muhammad Faisal Rauf Danka: "Fwd: CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares"

    Relevant Pages

    • Re: store contents of structure into an array
      ... > will not run into alignment problems then it okay, ... for i knew that there ought to be a oneline ... > and put it back into the buffer, ...
      (comp.lang.c)
    • Re: API to find the location of a program
      ... Your posting is a follow up to a posting of mine, ... "GetFullPathNameA" (ByVal lpFileName As String, ... Dim Buffer As String, Ret As Long ...
      (microsoft.public.vb.winapi)
    • RE: How to store the out put in StringBuffer
      ... it should print values of $previousLine, $var as buffered variable ... Regards ... It seems to me that you are printing each item in @buffer, ... E-mail transmission cannot be guaranteed to be secure or error-free ...
      (perl.beginners)
    • Re: Getting SID of process owner
      ... Volodymyr, blog: http://www.shcherbyna.com/ ... (This posting is provided "AS IS" with no warranties, ... After you have allocated big enough buffer at 5 call ...
      (microsoft.public.development.device.drivers)
    • Re: problem with PostMessage
      ... Depending on the size of the buffer it might ... receiving thread has received the data or is it more of a "fire and ... How often will you be posting the data to the other thread? ...
      (microsoft.public.vc.mfc)