lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <49B88C09.3000409@gmail.com>
Date: Thu, 12 Mar 2009 00:14:01 -0400
From: Krakow Labs <krakowlabs@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: POP Peeper 3.4.0.0 Date Remote Buffer Overflow
	Vulnerability

KL0309ADV-poppeeper_date-bof.txt
03.12.2009

Krakow Labs Research [www.krakowlabs.com]
POP Peeper 3.4.0.0 Date Remote Buffer Overflow Vulnerability

---------------------------------------------------------

======================
BACKGROUND INFORMATION
======================

"POP Peeper is an email notifier that runs in your Windows task bar and 
alerts you when you have new email on your POP3, IMAP (with IDLE 
support), Hotmail\MSN\LiveMail, Yahoo, GMail, Mail.com, MyWay, Excite, 
iWon, Lycos.com, RediffMail, Juno and NetZero accounts. IMAP supports 
allows you to access AOL, AIM, Netscape and other services. Send mail 
directly from POP Peeper and use the address book to email your 
frequently used contacts. POP Peeper allows you to view messages using 
HTML or you can choose to safely view all messages in rich or plain 
text. Several options are available that will decrease or eliminate the 
risks of reading your email (viruses, javascript, webbugs, etc). POP 
Peeper can be run from a portable device and can be password protected. 
Many notification options are availble to indicate when new mail has 
arrived, such as sound alerts (configurable for each account), flashing 
scroll lock, skinnable popup notifier, customized screensaver and more."

Source: http://www.poppeeper.org

---------------------------------------------------------

=========================
VULNERABILITY DESCRIPTION
=========================

POP Peeper is vulnerable to a remote buffer overflow vulnerability. This 
vulnerability is exploitable on the client side. A vulnerable POP Peeper 
user must connect to an exploitation server and retrieve mail to be 
affected.

---------------------------------------------------------

=================
TECHNICAL DETAILS
=================

To trigger this vulnerability, POP Peeper has to connect to an 
exploitation server acting as a POP3 daemon. The exploitation server can 
send an oversized "Date" header (292 bytes) along with an email message, 
overflowing a buffer on the stack, giving the attacker complete control 
over the process. Other headers may also be affected.

---------------------------------------------------------

=================
PRODUCTS AFFECTED
=================

POP Peeper 3.4.0.0 was confirmed vulnerable. All versions of below 
3.4.0.0 and are suspected vulnerable as well.

---------------------------------------------------------

============
EXPLOITATION
============

An exploit has been made public to trigger this vulnerability.

http://www.krakowlabs.com/dev/exp/KL0309EXP-poppeeper_date-bof.pl.txt

The exploit code has been tested in the following environment(s):

Windows XP Professional with Service Pack 3 on x86 Architecture

Result: SUCCESS

---------------------------------------------------------

===========
WORKAROUNDS
===========

The vendor has fixed this vulnerability but has not issued an updated 
version at the time of this advisory. We suggest POP Peeper users do not 
connect to untrusted POP3 servers until a new release is available that 
remedies this vulnerability.

---------------------------------------------------------

=======
CREDITS
=======

rush@KL (Jeremy Brown) [rush@...kowlabs.com] is credited with the 
discovery and research of this vulnerability.
rush@KL (Jeremy Brown) [rush@...kowlabs.com] is credited with the 
development of exploit code for this vulnerability.

---------------------------------------------------------

==========
DISCLAIMER
==========

Krakow Labs assumes no liability for the use or misuse of any or all 
information contained in this document or information available at or 
referring to this document. Any or all information contained in this 
document or available at or referring to this document is not misleading 
and all information provided by Krakow Labs in this document is accurate 
to the best knowledge of Krakow Labs. This document can be published 
and/or reproduced as long as the document's data is left unchanged. 
Krakow Labs may be accessed via krakowlabs.com for more information, 
personal reference, or other agendas supporting Krakow Labs.

Associated Files & Information:
http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.txt
http://www.krakowlabs.com/dev/exp/KL0309EXP-poppeeper_date-bof.pl.txt
http://www.krakowlabs.com/dev/exp/KL0309EXP-poppeeper_date-bof.jpeg
KL0309ADV-poppeeper_date-bof.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ