[Snort-sigs] SID 284

Steven Alexander alexander.s at ...1565...
Tue Jun 10 17:36:08 EDT 2003


POP2 x86 Linux overflow

Sid: 284


This is an attempt to exploit a buffer overflow in the POP2 service.

An attacker can gain access to a shell running with the privileges of
the service.

Detailed Information:  

This signature looks for a piece of shell code (executable code) that is
used to exploit a known vulnerability in the POP2 service running on
older Linux systems.

Affected Systems:

Redhat Linux 4.2, 5.0, 5.1, and 5.2
Other old Linux distributions??

Attack Scenarios:

The attack is done remotely and gives the attacker a command shell
running with the same privileges as the POP2 daemon.
Ease of Attack:

Simple.  An exploit is readily available.
False Positives:

None known.
False Negatives:

None known.
Corrective Action:

Upgrade to a newer version of POP2 (or POP3).  It would be preferrable
and probably easier to upgrade to a newer version of Linux entirely.
Rule Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:


More information about the Snort-sigs mailing list