GEN:SID | 1:1635 |
Message | POP3 APOP overflow attempt |
Summary | This event is generated when an attempt is made to exploit a potential buffer overflow using the APOP command. If running a vulnerable mail server, such as older XMail versions, this attack may lead to remote execution of arbitrary code. |
Impact | When succesfully exploited, the remote attacker can crash the POP3 service or execute arbitrary code on the mailserver. |
Detailed Information | The APOP command, used to submit authentication credentials to the POP3 server, has an overflowable buffer in XMail 0.58 and earlier. If an argument to the APOP command is longer than 256 characters, the service will crash. This error may be exploitable further, and could then allow the attacker to execute arbitrary code on the remote system.
|
Affected Systems | XMail 0.58 or earlier
|
Attack Scenarios | An attacker could crash the POP server, thereby denying legitimate users access to their e-mail. Skilled attackers could compromise the mailserver and obtain all incoming e-mail data.
|
Ease of Attack | The DoS attack is trivial to execute, as only an argument longer than 256 characters needs to be submitted. Compromise of the mailserver requires more skill, but has been proven to be possible..
|
Corrective Action | Upgrade the XtraMail installation to a more recent version. The most recent versions can always be found on the vendor's website, http://www.xmailserver.org/
|
Additional References | Nessus http://cgi.nessus.org/plugins/dump.php3?id=10559
Bugtraq http://www.securityfocus.com/bid/1652
CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0841
|
Rule References | bugtraq: 1652
cve: 2000-084103
Error: Unknown reference type: BACKDOOR subseven 22
arachnids: 485
url: www.hackfix.org/subseven/
|