-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-98.01                        AUSCERT Advisory
                      qpopper Buffer Overrun Vulnerability
                                  3 July 1998

Last Revised: --

- ---------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in the POP
mail server qpopper prior to version 2.5 available for various Unix
platforms.

This vulnerability may allow attackers to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information concerning a vulnerability in
    Qualcomm's popper(8) POP mail server distributed as qpopper available
    for various Unix platforms. This vulnerability has the potential to
    affect any platform which runs qpopper prior to version 2.5.

    The popper(8) server program runs with root privileges so it can act
    on behalf of users accessing their mail using the POP protocol.  Due
    to insufficient bounds checking on its input it is possible to cause
    a buffer overrun in the popper(8) program while it is executing.  By
    supplying carefully designed input attackers may be able to force the
    program to execute arbitrary commands.
    
    Exploit information involving this vulnerability has been made publicly
    available.

2.  Impact

    This vulnerability permits attackers to gain root privileges. It can be
    exploited remotely without requiring a valid user account on the server.

3.  Workarounds/Solution

    qpopper is currently under increased testing and revision.  AUSCERT
    recommends that sites prevent the exploitation of this vulnerability
    by monitoring developments in qpopper and upgrading to the latest
    version from Qualcomm available at:

  ftp://ftp.qualcomm.com/eudora/servers/unix/popper/

    If the upgrade cannot be applied immediately, AUSCERT encourages sites
    to disable the program until the upgrade can be applied.

4.  Related Documentation

    A number of advisories that have been issued concerning similar
    vulnerabilities in implementations of IMAP and POP servers which may be
    helpful are available at:

  ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.028
  ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.042
  ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.101

- ---------------------------------------------------------------------------
AUSCERT thanks multiple posters on the bugtraq mailing list.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.
Facsimile:  (07) 3365 7031

Postal:
Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNaIflih9+71yA2DNAQGkzgP+IzrM7IHsLU5fjUm73bsxe52jaTsRuzPs
Y5EM2iJ3SZZH3JhfzeP3pdtUra9oFZ3wGVtxzPAxOuVO7rgIHSKHv0qlBePJ7m1M
8XqFi5plbl6OdGfXia1WV2C4caujv6tSejEI6BCexjDr/lCbbxGR3D+NMOPp4xW1
rsYtsgyK9o0=
=Y3+4
-----END PGP SIGNATURE-----