Vulnerabilities > CVE-2001-1046 - Buffer Overflow vulnerability in Qualcomm Qpopper 4.0/4.0.1/4.0.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2 allows remote attackers to gain privileges via a long username.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Nessus
NASL family Misc. NASL id QPOPPER2.NASL description The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user last seen 2020-06-01 modified 2020-06-02 plugin id 10948 published 2002-05-02 reporter This script is Copyright (C) 2002-2018 Thomas Reinke source https://www.tenable.com/plugins/nessus/10948 title Qpopper .qpopper-options Username Handling Overflow code # # This script was written by Thomas reinke <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - description moved, bugfix [RD] # - Revised plugin title (8/6/09) include("compat.inc"); if(description) { script_id(10948); script_version ("1.18"); script_cve_id("CVE-2001-1046"); script_bugtraq_id(2811); script_name(english:"Qpopper .qpopper-options Username Handling Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote mail server is affected by a remote buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters. *** This test could not confirm the existence of the *** problem - it relied on the banner being returned." ); # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e8c930d6" ); script_set_attribute(attribute:"solution", value: "There is no known solution at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/05/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/04/20"); script_cvs_date("Date: 2018/08/22 16:49:14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Qpopper options buffer overflow"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2018 Thomas Reinke"); script_family(english:"Misc."); script_dependencie("find_service1.nasl"); script_require_ports("Services/pop3", 110); exit(0); } # # The script code starts here # port = get_kb_item("Services/pop3"); if(!port)port = 110; banner = get_kb_item(string("pop3/banner/", port)); if(!banner) { if(get_port_state(port)) { soc = open_sock_tcp(port); if(!soc)exit(0); banner = recv_line(socket:soc, length:4096); } } if(banner) { if(ereg(pattern:".*Qpopper.*version (4\.0\.[34]).*", string:banner, icase:TRUE)) { security_hole(port); } } exit(0);NASL family Gain a shell remotely NASL id POP3_OVERFLOW.NASL description The remote POP3 server might be vulnerable to a buffer overflow bug when it is issued at least one of these commands, with a too long argument : AUTH USER PASS If confirmed, this problem might allow an attacker to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 10184 published 1999-06-22 reporter This script is Copyright (C) 1999-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10184 title Multiple Vendor POP3 Remote Overflows code # # (C) Tenable Network Security, Inc. # # Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com> # Erik Anderson <[email protected]> # This one script can and does test for numerous BugIDs and CVEs. Added reference # links to all posted vulnerabilities with boundary lengths less than # the currrent script value of 2048. # All of these posted in the Bugtraq Database appear vulnerable (not tested). # Links are current up to 11/16/2002 # include("compat.inc"); if (description) { script_id(10184); script_version("1.56"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-1999-0822", "CVE-2000-0091", "CVE-2001-0776", "CVE-2001-1046", "CVE-2002-0454", "CVE-2002-0799", "CVE-2002-1781"); script_bugtraq_id(2781, 2811, 4055, 4295, 4789, 790, 830, 942); script_name(english:"Multiple Vendor POP3 Remote Overflows"); script_summary(english:"Attempts to overflow the in.pop3d buffers"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code may be run on the remote server."); script_set_attribute(attribute:"description", value: "The remote POP3 server might be vulnerable to a buffer overflow bug when it is issued at least one of these commands, with a too long argument : AUTH USER PASS If confirmed, this problem might allow an attacker to execute arbitrary code on the remote system."); script_set_attribute(attribute:"solution", value: "If you do not use POP3, disable this service. Otherwise, upgrade to a newer version."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20030217185907/http://online.securityfocus.com:80/archive/1/27197"); script_set_attribute(attribute:"vuln_publication_date", value:"1999/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_dependencie("find_service1.nasl", "qpopper.nasl"); script_require_keys("Settings/ParanoidReport"); script_exclude_keys("global_settings/supplied_logins_only"); script_require_ports("Services/pop3", 110); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); to = get_read_timeout(); port = get_service(svc: "pop3", default: 110, exit_on_fail: 1); fake = get_kb_item("pop3/"+port+"/false_pop3"); if(fake)exit(0); soc = open_sock_tcp(port); if (!soc) exit(0); d = recv_line(socket:soc, length:1024); if (!d || d !~ '^\\+OK') { close(soc); exit(0); } # Not a POP3 server if ( egrep(pattern:"Qpopper.*4", string:d) ) exit(0); c = strcat('AUTH ', crap(2048), '\r\n'); send(socket:soc, data:c); d = recv_line(socket:soc, length:1024, timeout: 3*to); if(!d)security_hole(port); else { if ( "-ERR Input buffer full, aborting" >< d ) exit(0, "Dovecot - not vulnerable"); c = strcat('USER ', crap(1024), '\r\n'); send(socket:soc, data:c); d = recv_line(socket:soc, length:1024, timeout: 3*to); if(!d)security_hole(port); else { if ( "-ERR Input buffer full, aborting" >< d ) exit(0, "Dovecot - not vulnerable"); c = strcat('PASS ', crap(1024), '\r\n'); send(socket:soc, data:c); d = recv_line(socket:soc, length:1024, timeout: 3*to); if(!d)security_hole(port); } } close(soc);