Strumpf Noir Society Advisories ! Public release ! <--# -= QPC POPd Buffer Overflow Vulnerability =- Release date: Saturday, April 14, 2001 Introduction: QPC's popd is the pop3 mailserver component of the company's QVT/NET product line for MS Windows. The popd and the rest of the QVT/Net product line is available from vendor QPC's website: http://www.qpc.com Problem(s): The pop daemon that ships with the QVT/NET software suite contains an unchecked buffer in the logon function. When a username or password of 584 bytes or more gets fed to the server the buffer will overflow and will trigger an access violation, after which the server dies. (..) Solution: Vendor QPC was notified but has yet to respond. This was tested against QVT/Net Popd 4.20 coming with the QVT/Net 5.0 suite, running on MS Win2k. yadayadayada Free sk8! (http://www.freesk8.org) SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
