w00w00 Security Advisory - http://www.w00w00.org
Title:          vpopmail
Platforms:      Any
Discovered:     7th January, 2000
Local:          Yes.
Remote:         Yes.
Author:         K2 (ktwo@ktwo.ca)
Vendor Status:  Notified.
Last Updated:   N/A

1. Overview

When vpopmail is used to authenticate user information and passed an
excessively long command argument, a remote attacker may compromise the
privilege level that vpopmail is running (usually root).

2. Impact

A remote attacker may attain the privilege level of the authentication
module.  Sample exploit code can be found at
http://www.ktwo.ca/security.html.

3. Recommendation

Impose the 40 character limitation specified by RFC1939 into the mail
agent that passes password to vpopmail or modify vpopmail itself.  A
qmail-specific patch is available at 
http://www.ktwo.ca/c/qmail-popup-patch.


Back to w00giving '99
Back to w00w00 webpage