'QPopper 4.0.4 buffer overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vuln-dev
Subject:    QPopper 4.0.4 buffer overflow
From:       Marcell Fodor <m.fodor () mail ! datanet ! hu>
Date:       2002-04-28 19:24:51
[Download RAW message or body]



Affected versions 4.0.3 and 4.0.4. default install.
Servers, not processing user`s configuration file 
(~/.qpopper-options) are insensible to this bug.

pop_bull.c
-----------
int
CopyOneBull ( POP *p, long bnum, char *name )
{
    FILE          *bull;
    char           buffer [ MAXMSGLINELEN ];
    BOOL           in_header            = TRUE;
    BOOL           first_line           = TRUE;
    int            nchar; 
    int            msg_num;
    int            msg_vis_num          = 0;
    int            msg_ends_in_nl       = 0;
    char           bullName [ 256 ];
    MsgInfoList   *mp;
.
.
.
    sprintf ( bullName, "%s/%s", p->bulldir, name );
------------

The bullNmae buffer is 256 bytes long, but in the user`s 
config file you can define it up to MAXLINELEN-1-sizeof
("set bulldir=") 1010 bytes.

~/.qpopper-options
--------------
set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA
--------------

more info: http://mantra.freeweb.hu

Regards,
Marcell Fodor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic