[Snort-sigs] False Positive in POP3 TOP overflow attempt (SID 2109)

Kynnyth Pyke scacynwrig at ...144...
Thu Apr 8 06:25:11 EDT 2004

# This is a template for submitting snort signature
descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that
as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  POP3 TOP overflow attempt

Sid:  2109
Summary:  This event is generated when an attempt is
made to exploit a buffer overflow condition in the
Post Office Protocol (POP) command TOP.

Impact:  Possible remote execution of arbitrary code
leading to a remote root 

Detailed Information: A vulnerability exists such that
an attacker may overflow a buffer by sending a line
feed character to a POP server via the TOP command.

Affected Systems:

Attack Scenarios:

Ease of Attack:

False Positives:  Some POP applications, such as
Fetchmail will issue a "TOP 1 99999999" command after
the POP session is established.  The comments in the
fetchmail pop3.c source code indicate this is done to
avoid setting the "seen" flag on the mail servers. 
This action will trigger this alert.
False Negatives:

Corrective Action:


Matthew Olney scacynwrig <at> yahoo <dot> com

Additional References:

Here is a packet capture of the TOP command:

14:44:00.317518 x.x.x.x.2532 > y.y.y.y.pop3: P
54:70(16) ack 178 win 5840 (DF)
0x0000   4500 0038 c4b7 4000 3306 092c 043e b646      
 E..8.. at ...2388...,.>.F
0x0010   d8a8 e6af 09e4 006e 461f 475b ba3d 8ff6      
0x0020   5018 16d0 7590 0000 544f 5020 3120 3939      
0x0030   3939 3939 3939 0d0a                          

Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 

More information about the Snort-sigs mailing list