Executive Summary

Summary
Title qpopper user privilege escalation
Informations
Name DSA-259 First vendor Publication 2003-03-12
Vendor Debian Last vendor Modification 2003-03-12
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Florian Heinz posted to the Bugtraq mailing list an exploit for qpopper based on a bug in the included vsnprintf implementation. The sample exploit requires a valid user account and password, and overflows a string in the pop_msg() function to give the user "mail" group privileges and a shell on the system. Since the Qvsnprintf function is used elsewhere in qpopper, additional exploits may be possible.

The qpopper package in Debian 2.2 (potato) does not include the vulnerable snprintf implementation. For Debian 3.0 (woody) an updated package is available in version 4.0.4-2.woody.3. Users running an unreleased version of Debian should upgrade to 4.0.4-9 or newer. We recommend you upgrade your qpopper package immediately.

Original Source

Url : http://www.debian.org/security/2003/dsa-259

CWE : Common Weakness Enumeration

% Id Name

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 4

OpenVAS Exploits

Date Description
2008-01-17 Name : Debian Security Advisory DSA 259-1 (qpopper)
File : nvt/deb_259_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
9794 Qpopper pop_msg() Macroname Remote Overflow

A remote overflow exists in Qpopper. The server fails to properly check the length of macronames supplied to the pop_msg() function resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or potentially execute arbitrary code. This attack requires valid user authentication credentials.

Nessus® Vulnerability Scanner

Date Description
2004-09-29 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-259.nasl - Type : ACT_GATHER_INFO
2004-07-25 Name : The remote host is missing a vendor-supplied security patch
File : suse_SA_2003_018.nasl - Type : ACT_GATHER_INFO
2003-03-13 Name : Arbitrary code may be run on the remote host.
File : qpopper_qvsnprinf_overflow.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:31:31
  • Multiple Updates