Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1866 |
Message | POP3 USER overflow attempt |
Summary | This event is generated when an attempt is made to overflow a buffer by supplying a very long username to a POP3 service. |
Impact | Serious. Several POP3 servers are vulnerable to USER buffer overflows. |
Detailed Information | A very long string data in place of the username can lead to a buffer overflow situation. A buffer overflow attack can be used to execute arbitrary code (remote shell). A Denial of Service (DoS) is also possible. Check your POP3 service for this vulnerability with common vulnerability scanners. |
Affected Systems | Ipswich IMail 5.0.5, 5.0.6 and 5.0.7 for Windows NT. Other POP3 mail systems may be affected. |
Attack Scenarios | A attacker may first check the POP3 daemon version and try a buffer overflow attack using a long username string supplied with the USER command. This may result in full compromise of the host. A Remote shell can be bound to a port after the attack. |
Ease of Attack | Simple. Exploit scripts are available. |
Corrective Action | Apply the appropriate vendor supplied patches. Upgrade to the latest non-affected version of the software. Check for other events generated by the source IP address. |
Additional References | |
Rule References | bugtraq: 11256 bugtraq: 789 cve: 1999-0494 nessus: 10311 |
--
DID:322486
--
http://www.aanval.com/