Debian Bug report logs - #63730
[3APA3A@SECURITY.NNOV.RU: unsafe fgets() in qpopper]

Package: qpopper; Maintainer for qpopper is William Pitcock <nenolod@sacredspiral.co.uk>;

Reported by: Wichert Akkerman <wichert@mors.wiggy.net>

Date: Sun, 7 May 2000 18:33:09 UTC

Severity: fixed

Done: Miquel van Smoorenburg <miquels@cistron.nl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Miquel van Smoorenburg <miquels@cistron.nl>:
Bug#63730; Package qpopper. Full text and rfc822 format available.

Acknowledgement sent to Wichert Akkerman <wichert@mors.wiggy.net>:
New Bug report received and forwarded. Copy sent to Miquel van Smoorenburg <miquels@cistron.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wichert@mors.wiggy.net>
To: submit@bugs.debian.org
Subject: [3APA3A@SECURITY.NNOV.RU: unsafe fgets() in qpopper]
Date: Sun, 7 May 2000 18:08:46 +0200
[Message part 1 (text/plain, inline)]
Package: qpopper
Severity: grave

Please not the patch in this post is wrong, and upstream fixed this
in version 3.0.1b2. Unfortunately they don't seem to support 2.53
anymore and just tell people to upgrade :(

Wichert.

----- Forwarded message from 3APA3A <3APA3A@SECURITY.NNOV.RU> -----

Date:         Fri, 21 Apr 2000 18:19:20 +0400
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Subject:      unsafe fgets() in qpopper
To: BUGTRAQ@SECURITYFOCUS.COM

Hello,

Topic:                  unsafe fgets() using in qpopper

Software affected:      qpopper  3.0 fc2, qpopper  2.53  and  probably
                        others

Description:            malicious   user  can  remotely  post  message
                        with  spoofed  or incorrect headers (including
                        "Received:" one)  and  in  some  cases  bypass
                        virus  checking.  This can be used for sending
                        trojans or to attack vulnerabilities in MUA.

Status:                 Vendor  contacted, bug scheduled to be patched
                        in next release, FreeBSD port patched.

Background:

In most unix systems e-mail delivered to user is usually stored in his
mailbox,  which  has  predefined  format  (so-called "unix mailbox" or
"berkley  mailbox").  This  mailbox  holds  messages  in  plain format
separated  by  empty  line ("\n") and specially formed "From " header.
The pattern of the next message in mailbox is "\n\nForm ".

Then  local mail programs (f.e. mail.local) delivers message to user's
mailbox   it  searches  for  this  pattern and if message contains one
"From   "   will  be  commented out by '>' and additional '\n' will be
added  to  message  if  necessary.  This assumes mailbox integrity and
protects from e-mail spoofing.

Problem description:

qpopper  has vulnerability which allows for malicious user to generate
his  own  "From " with followed email headers and text. The problem is
in  the  way  qpopper reads data from mailbox. Qpopper uses fgets() or
fgets()-like routine, mfgets(), which reads data from mailbox into the
fixed  1024  byte  buffer  and  returns  string  in  case  either '\n'
character  received  or  1023  bytes read. Malicious user can put text
like (without leading spaces):

   AAAA...AAA(string of 1023 symbols)\n
   From user Wed Dec  2 05:53 -0700 1992

In this case  fgets() will return 3 strings:
"AAAA...AAA(string of 1023)symbols", without '\n',
"\n",
"From user Wed Dec 2 05:53 -0700 1992"
and  this  will be recognized as a beginning of the new message in the
mailbox.

Text  after "From " string will be recognized as a headers and text of
the   next  message,  allowing  to  generate  any  headers  and  text.
Additionally, this "internal" messages will be treated by any software
as  a  plain  text  inside message, without any MIME attachments. This
allows  to  bypass  virus  checking in case antiviral tools scans only
attached files.

Possible temporary fix for qpopper 3.0 fc2 (not tested):

--- pop_dropcopy.c      Sat Mar 18 02:31:11 2000
+++ pop_dropcopy.c      Wed Apr 12 18:11:11 2000
@@ -205,6 +205,8 @@


 int newline = 1;
+int isbreaked = 0;
+int wasbreaked = 0;

 /*
  *  0 for not a from line
@@ -229,6 +231,14 @@

     /* If the previous line was not a newline then just return */
     /* From message separators are preceeded by a newline */
+    if (isbreaked) {
+       wasbreaked = 1;
+       return ( 0 );
+    }
+    if (wasbreaked) {
+       wasbreaked = 0;
+       return ( 0 );
+    }
     if ( *cp == '\n' ) {
         newline = 1;
         return ( 0 );
@@ -1593,9 +1603,13 @@
     if( size <= 0 ) {
     return NULL;
     }
+    isbreaked = 1;
     while( --size && ((c = getc(stream)) != EOF) ) {
     if( (*p = (char)c) == '\0' ) *p = ' ';
-    if( *p++ == '\n' ) break;
+       if( *p++ == '\n' ) {
+           isbreaked = 0;
+           break;
+       }
     }
     if( p == s ) return NULL;
     *p = '\0';


Additional Info:

mail.local  also  uses  fgets() for reading input message, but default
buffer  size is 2048, so "From " will not be commented and problem can
be  exploited.  If another local mailer is used with same behavior and
buffer  size  1024 or mailer splits strings of 1024 bytes this problem
couldn't be exploited.


http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)


----- End forwarded message -----

-- 
  _________________________________________________________________
 / Generally uninteresting signature - ignore at your convenience  \
| wichert@liacs.nl                    http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Miquel van Smoorenburg <miquels@cistron.nl>:
Bug#63730; Package qpopper. Full text and rfc822 format available.

Acknowledgement sent to Adrian Bunk <bunk@fs.tum.de>:
Extra info received and forwarded to list. Copy sent to Miquel van Smoorenburg <miquels@cistron.nl>. Full text and rfc822 format available.

Message #10 received at 63730@bugs.debian.org (full text, mbox):

From: Adrian Bunk <bunk@fs.tum.de>
To: debian-devel@lists.debian.org, bugscan@debian.org
Cc: 63730@bugs.debian.org
Subject: Re: Release-critical Bugreport for May 19, 2000
Date: Fri, 19 May 2000 20:47:15 +0200 (CEST)
On Fri, 19 May 2000, BugScan reporter wrote:

>...
> Package: qpopper (debian/main)
> Maintainer: Miquel van Smoorenburg <miquels@cistron.nl>
> [REMOVE] at next test cycle, if no fix is available. (RB)
>   63730  [3APA3A@SECURITY.NNOV.RU: unsafe fgets() in qpopper]
>...

This is fixed in qpopper 2.53-4 already in incoming.



Please note that the bug won't be automatically closed after installing
qpopper 2.53-4 because the maintainer used wrong syntax in
debian/changelog:

    * Fix security hole (fixes: #63730). Did not use the patch as supplied
      on bugtraq, but fixed it myself. See debian/fgets1023.patch


cu,
Adrian

-- 
A "No" uttered from deepest conviction is better and greater than a
"Yes" merely uttered to please, or what is worse, to avoid trouble.
                -- Mahatma Ghandi




Severity set to `fixed'. Request was from Wichert Akkerman <wichert@wiggy.net> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `fixed'. Request was from Wichert Akkerman <wichert@wiggy.net> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `fixed'. Request was from Wichert Akkerman <wichert@wiggy.net> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `fixed'. Request was from Wichert Akkerman <wichert@wiggy.net> to control@bugs.debian.org. Full text and rfc822 format available.

Bug closed, ack sent to submitter - they'd better know why ! Request was from Miquel van Smoorenburg <miquels@cistron.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 22:01:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.