GEN:SID | 1:1937 |
Message | POP3 LIST overflow attempt |
Summary | This event is generated when an attempt is made to exploit a buffer overflow vulnerability using the LIST command on mail servers running the qpopper daemon.
|
Impact | Remote Access. This attack can allow an attacker to read other users mail as the Group ID mail.
|
Detailed Information | The attacker needs the username and password of a POP account on the server. After a successful POP login, the attacker can cause a buffer overflow using the LIST command. After successfully exploiting the qpopper daemon the attacker has remote access of the server with the UID of the username used for the POP login and the GID of 'mail'.
|
Affected Systems | Qualcomm qpopper 3.0 and 3.0 beta 1 through beta 29.
|
Attack Scenarios | An attacker can log in to a vulnerable mail server using a preexisting POP account and enter an overly long argument with the LIST command, causing a buffer overflow which may then result in remote access.
|
Ease of Attack | Simple. Exploits exist.
|
Corrective Action | Upgrade to Qualcomm qpopper 3.0 beta 30 or higher.
|
Additional References | cve: CAN-2000-0096 bugtraq: 948
|
Rule References | bugtraq: 948
cve: 2000-0096
nessus: 10197
|