[Snort-sigs] SID 285

Steven Alexander alexander.s at ...1565...
Tue Jun 10 17:39:10 EDT 2003

This rule's description is the same as SID 284.  The rules are looking
for different pieces of shellcode in order to identify the same thing.



POP2 x86 Linux overflow

Sid: 285


This is an attempt to exploit a buffer overflow in the POP2 service.

An attacker can gain access to a shell running with the privileges of
the service.

Detailed Information:  

This signature looks for a piece of shell code (executable code) that is
used to exploit a known vulnerability in the POP2 service running on
older Linux systems.

Affected Systems:

Redhat Linux 4.2, 5.0, 5.1, and 5.2

Attack Scenarios:

The attack is done remotely and gives the attacker a command shell
running with the same privileges as the POP2 daemon.
Ease of Attack:

Simple.  An exploit is readily available.
False Positives:

None known.
False Negatives:

None known.
Corrective Action:

Upgrade to a newer version of POP2 (or POP3).  It would be preferrable
and probably easier to upgrade to a newer version of Linux entirely.
Rule Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:


More information about the Snort-sigs mailing list