[linux-security] Re: Qpop CERT advisory?

[Paul Hart <hart iserver com net org edu mil gov ocn nl>]

On Thu, 16 Jul 1998, B. James Phillippe wrote:

> The question was meant to be interpreted: is the POP daemon distributed
> with RedHat affected by the same exploits?  Many people have responded
> with information that doesn't answer the question. 

You need to provide exact version numbers of the software you are using. 
Saying something like "it's the version that comes with Distribution X" or
"oh, it's not the one in Distribution X but instead the one that comes in
Distribution Y" doesn't mean a lot to many people.  Many people might not
even use prepackaged versions, and instead build and install whatever
version is current on the Internet. 

> I have also received responses from people stating that the POP with
> RedHat (imap-4.1) is not affected, and others who say it is.  I've tried
> running two of the exploits I could find on the Bugtraq archive against
> a RedHat-4.2 system with no success. 

The best strategy is always this:  understand the vulnerability, look at
the source code to the software you are using, and then decide whether you
are vulnerable based on the nature of the vulnerability.  Using
prepackaged exploits off Rootshell might let you know right away whether
you are vulnerable or not, but often these exploits (and especially the
remote exploits like the ones for popper and imapd) require tweaking by
knowledgeable hands to get results, so preliminary testing can generate a
false sense of security.

I might add, too, that vulnerabilities like this are usually *application*
dependent, not *platform* dependent.  Namely, because you do see exploit
code for the i386 Linux QPOP server but do not see exploit code for the
HP-UX version, do not assume that the HP-UX version is safe.  These
applications are all compiled from the same source code base, so they
share the same problems.  Sometimes certain platforms receive less hacker
scrutiny than others, but they're all vulnerable. 

> So the question still stands: is the imap package distributed with
> RedHat also vulnerable to the qpopper exploit, or any other POP exploit? 
> It doesn't appear to be, but... 

I'd recommend following my strategy outlined above, but I'll give you some
pointers to get you started.

UW IMAP2bis server:  Probably vulnerable (see the very old CERT advisory
on this and check the Bugtraq archives from around March 1997) if it was
installed as part of Pine 3.95.  The imapd with Pine 3.96 was repaired,
but the banner message version was not updated (on purpose).  You can read
about the change at: 

    http://www.washington.edu/pine/pine-info/1997.03/msg00072.html

Several i386 Linux exploits were posted to Bugtraq for this hole.

Qualcomm popper:  All recent versions before 2.50 are POTENTIALLY
vulnerable.  I say "potentially" because it depends on whether the daemon
was compiled with optimization on or off (the -O option to gcc).  If the
daemon WAS compiled with optimization on (and many are), then the ordering
of variables in the stack frame in the pop_msg() function is such that you
can fully smash the saved %eip and crack root.  If the daemon WAS NOT
compiled with optimization on, then the compiler orders the variables in
the frame differently and adds an extra variable (that is in a register in
the optimized version) which results in a cracker being able to smash two
of the four bytes in the saved %eip with the target value, but not the
whole thing.  This daemon is crashable, but as far as I have been able to
determine, not exploitable.  Qualcomm did not address this vulnerability
until version 2.50.  Several i386 Linux exploits were posted to Bugtraq
for this hole, as well. 

UW IMAP4.1 server:  There is a brand new hole in this server.  So far I
have not seen an i386 Linux exploit for it, but a FreeBSD/BSDI exploit was
recently posted to Bugtraq with a full discussion of the hole.  This hole
seems to be right up near the named or previous imapd holes on the
severity scale, so I wouldn't be surprised to see several CERT advisories
in future months about it.  Apparently the affected versions are the
version that come with Pine 4.00 (imapd 10.234) and all previous IMAP4.1
server versions.  The Pine developers already have a patched version out,
which you should upgrade to if you are running an earlier version.  So far
I am not aware of any public Linux exploits for this hole, but it will
only be a matter of time before some surface, and privately, some are
probably already in circulation.

Paul Hart

-- 
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart @ iserver com      ><8>  ><8>  ><8>        http://www.iserver.com/

IMPORTANT:  To block automated spamming, the return address on this
message has been altered.  If you wish to reply to me by mail, please
reply to hart at iserver dot com.