K-009: Qpopper Buffer Overflow Vulnerability

PROBLEM:       Some versions of Qpopper are exploitable to a buffer overflow 
               vulnerability. 
PLATFORM:      All platforms running any of the officially released versions 
               Qpopper 2.41 and earlier, and those running the beta versions 
               Qpopper 3.0b21 and older. 
DAMAGE:        Remote users can exploit the vulnerability to obtain 
               unauthorized root access. 
SOLUTION:      Upgrade to the officially released version Qpopper 2.5 or 
               later, or to the beta version Qpopper 3.0b22 or later. 
VULNERABILITY  The risk is HIGH. Information about these vulnerabilities 
ASSESSMENT:    including exploit programs have been publicly distributed. 

CIAC has the following updated information to the AusCERT Alert given below:
If you are using the beta release 3.0b21 or older, upgrade to release 3.0b22
or later.  The official qpopper Frequently Asked Questions (FAQ) page at

     http://www.eudora.com/freeware/qpop_faq.html

when last updated on 1 December 1999 stated that

    "Qpopper 2.41 and prior versions, and Qpopper 3.0b21 and older, are 
     vulnerable to buffer overflow. Remote users can obtain root access on 
     systems running these versions. Releases of Qpopper 2.5 and later, and 
     3.0b22 and later are immune from all known buffer overrun security holes 
     posted in bugtraq. Please upgrade your server if you are running any 
     Qpopper older than 2.5, or are running a 3.0 beta older than b22."

The FAQ can be accessed through a link found in the official Qpopper home
page at:

     http://www.eudora.com/freeware/qpop.html

[Start AusCERT Alert]

- -----BEGIN PGP SIGNED MESSAGE-----


===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                       AL-1999.005  --  AUSCERT ALERT
                         Buffer overflow in qpopper
                              02 December 1999

===========================================================================

PROBLEM:  

	The qpopper program is Unix server software that supports the POP3
        protocol for downloading Internet e-mail using software clients.
        AusCERT has received information that some versions of qpopper are
        vulnerable to a remotely exploitable buffer overflow.

	Information regarding these vulnerabilities including exploit
        programs have been made publicly available.  AusCERT expects that
        intruders will actively exploit this vulnerability.

VERSIONS:
          
        All qpopper 3.0 beta releases 3.0b20 and older are susceptible to
        this vulnerability.

	qpopper versions prior to 2.41 are also vulnerable to an
        exploitable buffer overflow as described in a previously released
        AusCERT advisory (AA-98.01) available from:

          ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-
98.01.qpopper.buffer.overflow.vul
	
IMPACT:   

	Vulnerable versions of qpopper may allow remote users to gain root
	access.

SOLUTION: 

	Sites running vulnerable versions of qpopper should upgrade to the
	current version.  The latest official release of qpopper is 2.53.
	Sites using the 3.0 beta release should upgrade to the latest
        release which is version 3.0b21.

	For complete details and download instructions see the official 
	qpopper home page at:

		http://www.eudora.com/freeware/qpop.html

- - ---------------------------------------------------------------------------
AusCERT acknowledges the posters to the Bugtraq mailing list and Qualcomm
Support for information provided in this alert.  AusCERT also thanks Joe
Haskian of the University of Melbourne.
- - ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================



- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOEfZMih9+71yA2DNAQE4JAP/ZkKsWC0Tb2VG/4Uk9v4g3BTr3ZYQVYJn
u+HqJ++Aib0QfgCe6RRe8LlozddYFNZYYfFx82pjcofEEnD1FPO7XqHZ3t3/PlvB
nUhXHVRm/obEhSw8TZUry6m1eS9qycE6Gjfp8jWz/wWKHaNvFcaw+X7+W13gjIfP
kikFxZ4+lnw=
=hTST
- -----END PGP SIGNATURE-----

[End AusCERT Alert]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/