[Snort-sigs] SID 284

Steven Alexander alexander.s at ...1565...
Tue Jun 10 17:36:08 EDT 2003


Rule:  

POP2 x86 Linux overflow

--
Sid: 284

--
Summary: 

This is an attempt to exploit a buffer overflow in the POP2 service.

--
Impact:  
An attacker can gain access to a shell running with the privileges of
the service.

--
Detailed Information:  

This signature looks for a piece of shell code (executable code) that is
used to exploit a known vulnerability in the POP2 service running on
older Linux systems.

--
Affected Systems:

Redhat Linux 4.2, 5.0, 5.1, and 5.2
Other old Linux distributions??

--
Attack Scenarios:

The attack is done remotely and gives the attacker a command shell
running with the same privileges as the POP2 daemon.
--
Ease of Attack:

Simple.  An exploit is readily available.
--
False Positives:

None known.
--
False Negatives:

None known.
--
Corrective Action:

Upgrade to a newer version of POP2 (or POP3).  It would be preferrable
and probably easier to upgrade to a newer version of Linux entirely.
--
Contributors:
Rule Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:

http://www.linux.com.cn/hack.co.za/exploits/os/linux/redhat/4.2/pop.c




More information about the Snort-sigs mailing list