[Snort-sigs] SID 1634: POP3 PASS overflow attempt (documentation)

Maarten Van Horenbeeck maarten at ...2078...
Mon Dec 22 15:23:02 EST 2003


Rule: POP3 PASS overflow attempt
--
Sid: 1634
--
Summary:  The IDS has observed a potential exploit attempt against the
Artisoft XtraMail v1.11 mailserver.  This attack may lead to remote
execution of arbitrary code.
--
Impact: When succesfully exploited, the remote attacker can crash the POP3
service and possibly execute arbitrary code on the mailserver.
--
Detailed Information: The PASS argument, used to submit authentication
credentials to the POP3 server, has an overflowable buffer in XtraMail
1.11.  If a password of more than 1500 characters is submitted, the
service will crash.  This error may be exploitable further, and could then
allow the attacker to execute arbitrary code on the remote system, under
the LocalSystem account (which has a higher privilege level than
Administrator).
--
Affected Systems: All POP3 servers running Artisoft Xtramail 1.11 on
Windows.
--
Attack Scenarios: An attacker could crash the POP server, thereby denying
legitimate users access to their e-mail.  Skilled attackers could
compromise the mailserver and obtain all incoming e-mail data.
--
Ease of Attack: The DoS attack is trivial to execute, as only a password
longer than 1500 characters needs to be submitted.  Compromise of the
mailserver requires more skill, but exploits are available.
--
False Positives: There are no false positives known for this rule.
--
False Negatives: There are no false negatives known for this rule.
--
Corrective Action: Upgrade the XtraMail installation to a more recent
version.  At the time of writing, no vendor-supplied patches are
available.
--
Contributors:
Documentation contributed by Maarten Van Horenbeeck (maarten at ...2078...)
--
Additional References:
<a href="http://cgi.nessus.org/plugins/dump.php3?id=10325">Nessus Plugin
10325</a>
<a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1511">CAN-1999-1511</a>
<a href="http://www.securityfocus.com/bid/791">Bugtraq ID 791</a>


Best regards,
Maarten

--
Maarten Van Horenbeeck
maarten at ...2078...




More information about the Snort-sigs mailing list