Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1866 |
| Message | POP3 USER overflow attempt |
| Summary | This event is generated when an attempt is made to overflow a buffer by supplying a very long username to a POP3 service. |
| Impact | Serious. Several POP3 servers are vulnerable to USER buffer overflows. |
| Detailed Information | A very long string data in place of the username can lead to a buffer overflow situation. A buffer overflow attack can be used to execute arbitrary code (remote shell). A Denial of Service (DoS) is also possible. Check your POP3 service for this vulnerability with common vulnerability scanners. |
| Affected Systems | Ipswich IMail 5.0.5, 5.0.6 and 5.0.7 for Windows NT. Other POP3 mail systems may be affected. |
| Attack Scenarios | A attacker may first check the POP3 daemon version and try a buffer overflow attack using a long username string supplied with the USER command. This may result in full compromise of the host. A Remote shell can be bound to a port after the attack. |
| Ease of Attack | Simple. Exploit scripts are available. |
| Corrective Action | Apply the appropriate vendor supplied patches. Upgrade to the latest non-affected version of the software. Check for other events generated by the source IP address. |
| Additional References | |
| Rule References | bugtraq: 11256 bugtraq: 789 cve: 1999-0494 nessus: 10311 |
--
DID:322486
--
http://www.aanval.com/