GEN:SID | 1:1866 |
Message | POP3 USER overflow attempt |
Summary | This event is generated when an attempt is made to overflow a buffer by supplying a very long username to a POP3 service.
|
Impact | Serious. Several POP3 servers are vulnerable to USER buffer overflows.
|
Detailed Information | A very long string data in place of the username can lead to a buffer overflow situation.
A buffer overflow attack can be used to execute arbitrary code (remote shell). A Denial of Service (DoS) is also possible. Check your POP3 service for this vulnerability with common vulnerability scanners.
|
Affected Systems | Ipswich IMail 5.0.5, 5.0.6 and 5.0.7 for Windows NT. Other POP3 mail systems may be affected.
|
Attack Scenarios | A attacker may first check the POP3 daemon version and try a buffer overflow attack using a long username string supplied with the USER command.
This may result in full compromise of the host. A Remote shell can be bound to a port after the attack.
|
Ease of Attack | Simple. Exploit scripts are available.
|
Corrective Action | Apply the appropriate vendor supplied patches.
Upgrade to the latest non-affected version of the software.
Check for other events generated by the source IP address.
|
Additional References | |
Rule References | bugtraq: 789
bugtraq: 11256
cve: 1999-0494
nessus: 10311
|