Qualcomm Qpopper Unsafe fgets() Vulnerability

A vulnerability exists in versions of Qpopper, including the latest, 3.0, from Qualcomm. The vulnerability stems from how qpopper reads data from user mailboxes. From the post which discussed this vulnerability on Bugtraq:
"Qpopper uses fgets() or fgets()-like routine, mfgets(), which reads data from mailbox into the fixed 1024 byte buffer and returns string in case either '\n' character received or 1023 bytes read. Malicious user can put text like (without leading spaces):

AAAA...AAA(string of 1023 symbols)\n
From user Wed Dec 2 05:53 -0700 1992

In this case fgets() will return 3 strings:
"AAAA...AAA(string of 1023)symbols", without '\n',
"\n",
"From user Wed Dec 2 05:53 -0700 1992"
and this will be recognized as a beginning of the new message in the mailbox.

Text after "From " string will be recognized as a headers and text of the next message, allowing to generate any headers and text."

This could potentially be used to exploit client overflows, or bypass virus checking software.


 

Privacy Statement
Copyright 2010, SecurityFocus