From posse@CORINNE.MAC.EDU Sun Apr 27 23:00:57 1997
Date: Sat, 26 Apr 1997 10:38:11 -0500
From: Corinne Posse <posse@CORINNE.MAC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: COrinne Posse Release 970424

Someone sent out the last one without proofreading it. This is the version
that makes sense.

 ************** Corinne Posse Security Notice  **************
Issue Number 4: 970424
 **************  http://corinne.mac.edu/posse  **************

**** Possible buffer overflow in pop3d ****

*pop3d-1.00.4 (BSD 4.3-based pop3d servers) USER buffer overflow*

Affected Sites:
Systems running OLD versions of pop3d, namely 1.00.4 based versions on the
"original" BSD 4.3 Virtual VAX pop3d by Katie Stevens are vulnerable. In
addition, I believe this includes many older Linux distributions, as many
early Linux pop3ds were basnf of this version.  I don't know which
distributions would be guilty of having this daemon, or at what point
in time they stopped using it. See
        ftp://tsx-11.mit.edu/pub/linux/packages/net/attic/
                Other/pop3d/pop3d-1.00.4.tar.gz
for a copy of the source code that I examined to find the problem.

Problem:
The problem lies in the routine used to read in the username. This problem
is exactly like the vulnerability SNI found with imapd, except a different
software package and strangely similar, yet different code. A malicious
user can easily cause arbitrary execution from the stack (as root, since
most pop3 daemons run as root) provided they have good motivation and
know what the stack looks like.

The offending code follows:

char cli_user[CLI_BUFSIZ];  /* CLI_BUFSIZE is a whole 128 characters! */
char *inbuf

        if (strncmp(inbuf,"user",4) == 0) {
                inbuf += 4;
                EATSPACE(inbuf);
                strcpy(cli_user,inbuf);

from "main.c" (around line 155 of main.c, depending on your distribution)

Fixes:
The obvious fix is to upgrade to pop3d software that is more
recent/reliable, or to tinker with the code yourself. Good Luck!

[Found and released by: Jonathan Katz, jkatz@corinne.mac.edu]

Jon, a Sophomore at MacMurray College in Jacksonville, IL, is the founder
and president of Corinne Posse. http://corinne.mac.edu/posse for more
information about the posse.
   "Systems security begins with common sense, it's not an add-in
        feature."