[Snort-sigs] sid 1635: POP3 APOP overflow attempt

Maarten Van Horenbeeck maarten at ...2078...
Tue Dec 30 07:50:16 EST 2003

Rule: POP3 APOP overflow attempt
Sid: 1635
Summary:  The IDS has observed a potential buffer overflow using the APOP
command.  If running a vulnerable mail server, such as older XMail
versions, this attack may lead to remote execution of arbitrary code.
Impact: When succesfully exploited, the remote attacker can crash the POP3
service or execute arbitrary code on the mailserver.
Detailed Information: The APOP command, used to submit authentication
credentials to the POP3 server, has an overflowable buffer in XMail 0.58
and earlier.  If an argument to the APOP command is longer than 256
characters, the service will crash.  This error may be exploitable
further, and could then allow the attacker to execute arbitrary code on
the remote system, under the LocalSystem account (which has a higher
privilege level than Administrator).
Affected Systems: All POP3 servers running XMail 0.58 or earlier, on
Attack Scenarios: An attacker could crash the POP server, thereby denying
legitimate users access to their e-mail.  Skilled attackers could
compromise the mailserver and obtain all incoming e-mail data.
Ease of Attack: The DoS attack is trivial to execute, as only an argument
longer than 256 characters needs to be submitted.  Compromise of the
mailserver requires more skill, but has been proven to be possible..
False Positives: There are no false positives known for this rule.
False Negatives: There are no false negatives known for this rule.
Corrective Action: Upgrade the XtraMail installation to a more recent
version.  The most recent versions can always be found on the vendor's
website, <a href="http://www.xmailserver.org/">xmailserver.org</a>.
Documentation contributed by Maarten Van Horenbeeck (maarten at ...2078...)
Additional References:
<a href="http://cgi.nessus.org/plugins/dump.php3?id=10559">Nessus plugin
ID 10559</a>
<a href="http://www.securityfocus.com/bid/1652">Bugtraq ID</a>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0841">CVE
Candidate 2000-0841</a>

More information about the Snort-sigs mailing list