Vulnerabilities > CVE-2003-0143 - Remote Memory Corruption vulnerability in Qpopper
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The pop_msg function in qpopper 4.0.x before 4.0.5fc2 does not null terminate a message buffer after a call to Qvsnprintf, which could allow authenticated users to execute arbitrary code via a buffer overflow in a mdef command with a long macro name.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
| description | Qpopper 4.0.x Remote Memory Corruption Vulnerability. CVE-2003-0143 . Remote exploit for linux platform |
| id | EDB-ID:22342 |
| last seen | 2016-02-02 |
| modified | 2003-03-10 |
| published | 2003-03-10 |
| reporter | Florian Heinz |
| source | https://www.exploit-db.com/download/22342/ |
| title | Qpopper 4.0.x - Remote Memory Corruption Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-259.NASL description Florian Heinz posted to the Bugtraq mailing list an exploit for qpopper based on a bug in the included vsnprintf implementation. The sample exploit requires a valid user account and password, and overflows a string in the pop_msg() function to give the user last seen 2020-06-01 modified 2020-06-02 plugin id 15096 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15096 title Debian DSA-259-1 : qpopper - mail user privilege escalation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-259. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15096); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0143"); script_xref(name:"DSA", value:"259"); script_name(english:"Debian DSA-259-1 : qpopper - mail user privilege escalation"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Florian Heinz posted to the Bugtraq mailing list an exploit for qpopper based on a bug in the included vsnprintf implementation. The sample exploit requires a valid user account and password, and overflows a string in the pop_msg() function to give the user 'mail' group privileges and a shell on the system. Since the Qvsnprintf function is used elsewhere in qpopper, additional exploits may be possible. The qpopper package in Debian 2.2 (potato) does not include the vulnerable snprintf implementation. For Debian 3.0 (woody) an updated package is available in version 4.0.4-2.woody.3. Users running an unreleased version of Debian should upgrade to 4.0.4-9 or newer. We recommend you upgrade your qpopper package immediately." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-259" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected qpopper package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qpopper"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"qpopper", reference:"4.0.4-2.woody.3")) flag++; if (deb_check(release:"3.0", prefix:"qpopper-drac", reference:"4.0.4-2.woody.3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id QPOPPER_QVSNPRINF_OVERFLOW.NASL description The remote Qpopper server, according to its banner, is vulnerable to a one-byte overflow ih its pop_msg function after a call to Qvsnprintf(). An attacker may use this flaw to execute code with the privileges of the Qpopper service (usually non-root), provided that he has a valid POP account to log in with. *** This test could not confirm the existence of the *** problem - it relied on the banner being returned. last seen 2020-06-01 modified 2020-06-02 plugin id 11376 published 2003-03-13 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11376 title Qpopper pop_msg() Macroname Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(11376); script_version ("1.15"); script_cve_id("CVE-2003-0143"); script_bugtraq_id(7058); script_xref(name:"SuSE", value:"SUSE-SA:2003:018"); script_name(english: "Qpopper pop_msg() Macroname Remote Overflow"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote host." ); script_set_attribute(attribute:"description", value: "The remote Qpopper server, according to its banner, is vulnerable to a one-byte overflow ih its pop_msg function after a call to Qvsnprintf(). An attacker may use this flaw to execute code with the privileges of the Qpopper service (usually non-root), provided that he has a valid POP account to log in with. *** This test could not confirm the existence of the *** problem - it relied on the banner being returned." ); script_set_attribute(attribute:"solution", value: "Upgrade to version 4.0.5cf2 or newer" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/13"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/03/10"); script_cvs_date("Date: 2018/07/25 18:58:04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Qpopper options buffer overflow"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("popserver_detect.nasl"); script_require_ports("Services/pop3", 110); exit(0); } # # The script code starts here # port = get_kb_item("Services/pop3"); if(!port)port = 110; banner = get_kb_item(string("pop3/banner/", port)); if(!banner) { if(get_port_state(port)) { soc = open_sock_tcp(port); if(!soc)exit(0); banner = recv_line(socket:soc, length:4096); } } if(banner) { if(ereg(pattern:".*Qpopper.*version 4\.0\.[0-4][^0-9].*", string:banner, icase:TRUE)) { security_warning(port); } } exit(0);NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_018.NASL description The remote host is missing the patch for the advisory SUSE-SA:2003:018 (qpopper). The Post-Office-Protocol- (POP-) Server qpopper (version 4) was vulnerable to a buffer overflow. The buffer overflow occurs after authentication has taken place. Therefore pop-users with a valid account can execute arbitrary code on the system running qpopper. Depending on the setup, the malicious code is run with higher privileges. There is no temporary fix known, please update your system. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13788 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13788 title SUSE-SA:2003:018: qpopper
References
- http://marc.info/?l=bugtraq&m=104739841223916&w=2
- http://marc.info/?l=bugtraq&m=104748775900481&w=2
- http://marc.info/?l=bugtraq&m=104768137314397&w=2
- http://marc.info/?l=bugtraq&m=104792541215354&w=2
- http://www.debian.org/security/2003/dsa-259
- http://www.novell.com/linux/security/advisories/2003_018_qpopper.html
- http://www.securityfocus.com/bid/7058
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11516