COMMAND
pop3d
SYSTEMS AFFECTED
Linux distributions running old pop3d 1.00.4
PROBLEM
Following info is based on Corinne Posse Security Notice Issue
Number 4. Systems running OLD versions of pop3d, namely 1.00.4
based versions on the "original" BSD 4.3 Virtual VAX pop3d by
Katie Stevens are vulnerable. In addition, it is believed this
includes many older Linux distributions, as many early Linux
pop3ds were basnf of this version. It is unknow which
distributions would be guilty of having this daemon, or at what
point in time they stopped using it. See:
ftp://tsx-11.mit.edu
and follow following path:
/pub/linux/packages/net/attic/Other/pop3d/pop3d-1.00.4.tar.gz
for a copy of the source code that was examined to find the
problem. This code has not been changed as of pop3d-1.005e,
which was released January 19, 1997, and thus it still appears to
be vulnerable. This is the latest release of the BSD 4.3 based
pop3d.
The problem lies in the routine used to read in the username.
This problem is exactly like the vulnerability SNI found with
imapd, except a different software package and strangely similar,
yet different code. A malicious user can easily cause arbitrary
execution from the stack (as root, since most pop3 daemons run as
root) provided they have good motivation and know what the stack
looks like. The offending code follows:
char cli_user[CLI_BUFSIZ]; /* CLI_BUFSIZE is a whole 128 characters! */
char *inbuf
if (strncmp(inbuf,"user",4) == 0) {
inbuf += 4;
EATSPACE(inbuf);
strcpy(cli_user,inbuf);
from "main.c" (around line 155 of main.c, depending on your
distribution)
This vulnerability was found and released by Jonathan Katz.
SOLUTION
The obvious fix is to upgrade to pop3d software that is more
recent/reliable, or to tinker with the code yourself. Check for
1.005f on:
ftp://ftp.scott.net/pub/linux/mail