fetchmail-friends
[Top] [All Lists]

not exploitable buffer overflow in fetchmail 5.6.0

2001-01-28 17:08:07
Hi,

in the file pop3.c you can read:

        else if (sscanf(buf, "%d %s", &num, id) == 2)

id is a stack allocated buffer of IDLEN+1 bytes
buf is server(attacker) supplied data of POPBUFSIZE+1 bytes

from fetchmail.h:

#define         POPBUFSIZE      512     /* max length of response (RFC1939) */
#define         IDLEN           128     /* max length of UID (RFC1939) */

The bug seems not exploitable because the stack layout in this
function prevents the return address corruption.
If you change the order of the declaration of "buf" and "id" you will
get a standard exploitable stack overflow.

It seems also that there are a very high number of insecure functions
call in fetchmail, not exploitable since the coder joked
with the size of the buffers and so on to prevent problems: warning,
with this approach some day you will get a security problem.

Please, for reply CC me since I'm not subscribed to the list.

regards,
antirez

-- 
Salvatore Sanfilippo              |                      
<antirez(_at_)invece(_dot_)org>
http://www.kyuzz.org/antirez      |      PGP: finger 
antirez(_at_)tella(_dot_)alicom(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>