Signature Detail

OS: Linux x86 Pop2 Buffer Overflow (1)

This signature detects attempts to exploit a known vulnerability in the pop2 daemon running on LINUX. Versions 4.4 and earlier are susceptible. Pop2 servers support anonymous proxy, where users can remotely instruct a server to open an IMAP mailbox on another server for which they have an account and execute commands under the user id "nobody". Attackers can log on through anonymous proxy and execute a 1000-byte FOLD command argument to cause a stack-based buffer overflow and gain root access.

Extended Description

A buffer overflow vulnerability in pop2d version 4.4 or earlier allow malicious remote users to obtain access to the "nobody" user account. The pop2 and pop3 servers support the concept of an "anonymous proxy", whereby a remote user connecting to the server can instruct it to open an IMAP mailbox on some other saver they have a valid account on. In this state the pop2 server runs under the "nobody" user id. Once logged on, issuing a FOLD command with an argument of about 1000 bytes will cause a stack based buffer overflow.

Affected Products

• Debian Linux 2.1.0
• Red Hat Linux 4.0.0
• Red Hat Linux 4.1.0
• Red Hat Linux 4.2.0
• Red Hat Linux 5.0.0
• Red Hat Linux 5.1.0
• Red Hat Linux 5.2.0 i386
• University of Washington imap 4.4.0
• University of Washington pop2d 4.4.0

References

• BugTraq: 283
• CVE: CVE-1999-0920
• URL: http://www.securiteam.com/exploits/2YVQ2QAQLO.html