[Snort-sigs] False Positive in POP3 TOP overflow attempt (SID 2109)
scacynwrig at ...144...
Thu Apr 8 06:25:11 EDT 2004
# This is a template for submitting snort signature
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that
as a commentary
# and someone else perhaps will be able to fix it.
Rule: POP3 TOP overflow attempt
Summary: This event is generated when an attempt is
made to exploit a buffer overflow condition in the
Post Office Protocol (POP) command TOP.
Impact: Possible remote execution of arbitrary code
leading to a remote root
Detailed Information: A vulnerability exists such that
an attacker may overflow a buffer by sending a line
feed character to a POP server via the TOP command.
Ease of Attack:
False Positives: Some POP applications, such as
Fetchmail will issue a "TOP 1 99999999" command after
the POP session is established. The comments in the
fetchmail pop3.c source code indicate this is done to
avoid setting the "seen" flag on the mail servers.
This action will trigger this alert.
Matthew Olney scacynwrig <at> yahoo <dot> com
Here is a packet capture of the TOP command:
14:44:00.317518 x.x.x.x.2532 > y.y.y.y.pop3: P
54:70(16) ack 178 win 5840 (DF)
0x0000 4500 0038 c4b7 4000 3306 092c 043e b646
E..8.. at ...2388...,.>.F
0x0010 d8a8 e6af 09e4 006e 461f 475b ba3d 8ff6
0x0020 5018 16d0 7590 0000 544f 5020 3120 3939
0x0030 3939 3939 3939 0d0a
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
More information about the Snort-sigs