| Title: | qpopper Buffer Overrun Vulnerability |
| Date Issued: | July 3, 1998 |
| Last Modified: | July 3, 1998 |
| Code: | AA-98.01 |
| Source: | AusCERT |
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-98.01 AUSCERT Advisory
qpopper Buffer Overrun Vulnerability
3 July 1998
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the POP
mail server qpopper prior to version 2.5 available for various Unix
platforms.
This vulnerability may allow attackers to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information concerning a vulnerability in
Qualcomm's popper(8) POP mail server distributed as qpopper available
for various Unix platforms. This vulnerability has the potential to
affect any platform which runs qpopper prior to version 2.5.
The popper(8) server program runs with root privileges so it can act
on behalf of users accessing their mail using the POP protocol. Due
to insufficient bounds checking on its input it is possible to cause
a buffer overrun in the popper(8) program while it is executing. By
supplying carefully designed input attackers may be able to force the
program to execute arbitrary commands.
Exploit information involving this vulnerability has been made publicly
available.
2. Impact
This vulnerability permits attackers to gain root privileges. It can be
exploited remotely without requiring a valid user account on the server.
3. Workarounds/Solution
qpopper is currently under increased testing and revision. AUSCERT
recommends that sites prevent the exploitation of this vulnerability
by monitoring developments in qpopper and upgrading to the latest
version from Qualcomm available at:
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/
If the upgrade cannot be applied immediately, AUSCERT encourages sites
to disable the program until the upgrade can be applied.
4. Related Documentation
A number of advisories that have been issued concerning similar
vulnerabilities in implementations of IMAP and POP servers which may be
helpful are available at:
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.028
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.042
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.101
- ---------------------------------------------------------------------------
AUSCERT thanks multiple posters on the bugtraq mailing list.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
Postal:
Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNaIflih9+71yA2DNAQGkzgP+IzrM7IHsLU5fjUm73bsxe52jaTsRuzPs
Y5EM2iJ3SZZH3JhfzeP3pdtUra9oFZ3wGVtxzPAxOuVO7rgIHSKHv0qlBePJ7m1M
8XqFi5plbl6OdGfXia1WV2C4caujv6tSejEI6BCexjDr/lCbbxGR3D+NMOPp4xW1
rsYtsgyK9o0=
=Y3+4
-----END PGP SIGNATURE-----