OS: Linux x86 pop2 Buffer Overflow (2)
This signature detects attempts to exploit a known vulnerability in the pop2 daemon running on LINUX. Versions 4.4 and earlier are susceptible. Pop2 servers support anonymous proxy, where users can remotely instruct a server to open an IMAP mailbox on another server for which they have an account and execute commands under the user id "nobody". Attackers can log on through anonymous proxy and execute a 1000-byte FOLD command argument to cause a stack-based buffer overflow and gain root access.
Extended Description
A buffer overflow vulnerability in pop2d version 4.4 or earlier allow malicious remote users to obtain access to the "nobody" user account. The pop2 and pop3 servers support the concept of an "anonymous proxy", whereby a remote user connecting to the server can instruct it to open an IMAP mailbox on some other saver they have a valid account on. In this state the pop2 server runs under the "nobody" user id. Once logged on, issuing a FOLD command with an argument of about 1000 bytes will cause a stack based buffer overflow.
Affected Products
Red_hat linux
Short Name
OS:LINUXX86:POP2-OF-2
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
OS
Keywords
(2) Buffer CVE-1999-0920 Linux Overflow bid:283 pop2 x86
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/109
False Positive
Unknown
Vendors
Red_hat
University_of_washington
Debian
CVSS Score
10.0