exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cpio.04.97-04-24.pop3d_bo

cpio.04.97-04-24.pop3d_bo
Posted Sep 23, 1999

cpio.04.97-04-24.pop3d_bo

SHA-256 | a82309ade4fa02ced52322c2ff6e96b63b126fce416b0723e8b903b27c2cdd77

cpio.04.97-04-24.pop3d_bo

Change Mirror Download

From posse@CORINNE.MAC.EDU Sun Apr 27 23:00:57 1997
Date: Sat, 26 Apr 1997 10:38:11 -0500
From: Corinne Posse <posse@CORINNE.MAC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: COrinne Posse Release 970424

Someone sent out the last one without proofreading it. This is the version
that makes sense.

************** Corinne Posse Security Notice **************
Issue Number 4: 970424
************** http://corinne.mac.edu/posse **************

**** Possible buffer overflow in pop3d ****

*pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow*

Affected Sites:
Systems running OLD versions of pop3d, namely 1.00.4 based versions on the
"original" BSD 4.3 Virtual VAX pop3d by Katie Stevens are vulnerable. In
addition, I believe this includes many older Linux distributions, as many
early Linux pop3ds were basnf of this version. I don't know which
distributions would be guilty of having this daemon, or at what point
in time they stopped using it. See
ftp://tsx-11.mit.edu/pub/linux/packages/net/attic/
Other/pop3d/pop3d-1.00.4.tar.gz
for a copy of the source code that I examined to find the problem.

Problem:
The problem lies in the routine used to read in the username. This problem
is exactly like the vulnerability SNI found with imapd, except a different
software package and strangely similar, yet different code. A malicious
user can easily cause arbitrary execution from the stack (as root, since
most pop3 daemons run as root) provided they have good motivation and
know what the stack looks like.

The offending code follows:

char cli_user[CLI_BUFSIZ]; /* CLI_BUFSIZE is a whole 128 characters! */
char *inbuf

if (strncmp(inbuf,"user",4) == 0) {
inbuf += 4;
EATSPACE(inbuf);
strcpy(cli_user,inbuf);

from "main.c" (around line 155 of main.c, depending on your distribution)

Fixes:
The obvious fix is to upgrade to pop3d software that is more
recent/reliable, or to tinker with the code yourself. Good Luck!

[Found and released by: Jonathan Katz, jkatz@corinne.mac.edu]

Jon, a Sophomore at MacMurray College in Jacksonville, IL, is the founder
and president of Corinne Posse. http://corinne.mac.edu/posse for more
information about the posse.
"Systems security begins with common sense, it's not an add-in
feature."
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close