[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Vulnerability



KL0209ADV-poppeeper_uidl-bof.txt
02.27.2009

Krakow Labs Research [www.krakowlabs.com]
POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Vulnerability

-------------------------------------------------------------------------------------------------------------------------

======================
BACKGROUND INFORMATION
======================

"POP Peeper is an email notifier that runs in your Windows task bar and 
alerts you when you have new email on your
POP3, IMAP (with IDLE support), Hotmail\MSN\LiveMail, Yahoo, GMail, 
Mail.com, MyWay, Excite, iWon, Lycos.com, RediffMail,
Juno and NetZero accounts. IMAP supports allows you to access AOL, AIM, 
Netscape and other services. Send mail directly
from POP Peeper and use the address book to email your frequently used 
contacts. POP Peeper allows you to view messages
using HTML or you can choose to safely view all messages in rich or 
plain text. Several options are available that will
decrease or eliminate the risks of reading your email (viruses, 
javascript, webbugs, etc). POP Peeper can be run from a
portable device and can be password protected. Many notification options 
are availble to indicate when new mail has
arrived, such as sound alerts (configurable for each account), flashing 
scroll lock, skinnable popup notifier, customized
screensaver and more."

Source: http://www.poppeeper.org

-------------------------------------------------------------------------------------------------------------------------

=========================
VULNERABILITY DESCRIPTION
=========================

POP Peeper is vulnerable to a remote buffer overflow vulnerability. This 
vulnerability is exploitable on the client side.
A vulnerable POP Peeper user must connect to an exploitation server and 
attempt use retrieve mail to affected.

-------------------------------------------------------------------------------------------------------------------------

=================
TECHNICAL DETAILS
=================

To trigger this vulnerability, POP Peeper has to connect to an 
exploitation server acting as a POP3 daemon. POP Peeper
then uses the UIDL command to get unique IDs for each email it later 
plans on retrieving. The exploitation server can
send an oversized ID (1040 bytes), overflowing a buffer on the stack, 
giving the attacker complete control over the
process.

-------------------------------------------------------------------------------------------------------------------------

=================
PRODUCTS AFFECTED
=================

POP Peeper 3.4.0.0 was confirmed vulnerable. All versions of below 
3.4.0.0 and are suspected vulnerable as well.

-------------------------------------------------------------------------------------------------------------------------

============
EXPLOITATION
============

An exploit has been made public to trigger this vulnerability.

http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt

The exploit code has been tested in the following environment(s):

Windows XP Professional with Service Pack 3 on x86 Architecture

Result: SUCCESS

-------------------------------------------------------------------------------------------------------------------------

===========
WORKAROUNDS
===========

The vendor has fixed this vulnerability but has not issued an updated 
version at the time of this advisory. We suggest
POP Peeper users do not connect to untrusted POP3 servers until a new 
release is available that remedies this vulnerability.

------------------------------------------------------------------------------------------------------------------------

=======
CREDITS
=======

rush@KL (Jeremy Brown) [rush@xxxxxxxxxxxxxx] is credited with the 
discovery and research of this vulnerability.
rush@KL (Jeremy Brown) [rush@xxxxxxxxxxxxxx] and Jayji (James Burton) 
[jayjiftw@xxxxxxxxx] are both credited with the
development of exploit code for this vulnerability.

-------------------------------------------------------------------------------------------------------------------------

==========
DISCLAIMER
==========

Krakow Labs assumes no liability for the use or misuse of any or all 
information contained in this document or information
available at or referring to this document. Any or all information 
contained in this document or available at or referring to
this document is not misleading and all information provided by Krakow 
Labs in this document is accurate to the best knowledge
of Krakow Labs. This document can be published and/or reproduced as long 
as the document's data is left unchanged. Krakow Labs
may be accessed via krakowlabs.com for more information, personal 
reference, or other agendas supporting Krakow Labs.

Associated Files & Information:
http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt
http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt
http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.jpg
KL0209ADV-poppeeper_uidl-bof.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/