lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20030313081247.69fb2bd2.hh@hostserver.de>
Date: Thu, 13 Mar 2003 08:12:47 +0100
From: Harald Hellmuth <hh@...tserver.de>
To: Randall Gellens <rg_public.1@...gg.qualcomm.com>,
	bugtraq@...urityfocus.com
Subject: Re: QPopper 4.0.x buffer overflow vulnerability


On Tue, 11 Mar 2003 19:05:51 -0800
Randall Gellens <rg_public.1@...gg.qualcomm.com> wrote:

> The first I heard of the problem was this morning.  Was any notice 
> sent to qpopper-bugs@...lcomm.com or qpopper-patches@...lcomm.com in 
> advance of the posting here?  If so, please let me know the details 
> so I can see what happened to the message.  If not, I'd like to know 
> why.
> 
> A fixed Qpopper (version 4.0.5fc2) is available now at 
> <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>.  I plan on 
> releasing 4.0.5 final tomorrow unless I hear of any problems with 
> 4.0.5fc2.
> 
> -- 
> Randall Gellens
> rg_public.1@...gg.qualcomm.com
> Opinions are personal;     facts are suspect;     I speak for myself only

Hello,

Yesterday(2003-03-12) I've sent the following email to qpopper-bugs@...lcomm.com:

------------------------------ snip ---------------------------------------
Dear Sir or Madam,

Florian Heinz posted an exploit to gain shell access through qpopper. 
See http://nstx.dereference.de/snippets/qex.c.
The reason is an unterminated bufferstring in Qvsnprintf.

I looked at version 4.05fc2 and there is a change, but i think that
change  isn't correct.

/* From File common/snprintf.c */
if ( nSize == 0 && *p != '\0' )
    {
        *s = '\0';
        return -1;
    }
    else
        return ( (n-1) - nSize );


/* when string that should be written to the buffer fits exactly,
 * than there will  no Zero-Byte be written to buffer, cause the for
 * loop terminates when nSize is 0 and the terminating '\0' of p is not
 * copied to buffer ;-(
*/

Ithink, it should be written as :


if ( nSize || *p=='\0') 
   {
        *s++ = *p;
        return ( (n-1) - nSize );
    }
else{
       *s++ = '\0';
       return -1;
    }


Please excuse my bad english.

regards

Harald Hellmuth
------------------------------ snap ---------------------------------------

with best regards


-- 

Harald Hellmuth
E-Mail: hh@...tserver.de

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ