1634.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid:
1634

--
Summary: 
This event is generated when an attempt is made to exploit a known vulnerability in Artisoft XtraMail v1.11 mailserver.

--
Impact:
When succesfully exploited, the remote attacker can crash the POP3 service and possibly execute arbitrary code on the mailserver.

--
Detailed Information:
The PASS argument, used to submit authentication credentials to the  POP3 server XtraMail 1.11, has an exploitable buffer overflow condition  If a password of more than 1500 characters is submitted, the service will crash.  This error may be exploitable further, and could  then allow the attacker to execute arbitrary code on the remote system, under the LocalSystem account.

--
Affected Systems:
All POP3 servers running Artisoft Xtramail 1.11 on Windows.

--
Attack Scenarios:
An attacker could crash the POP server, thereby denying legitimate users access to their e-mail.  Skilled attackers could compromise the mailserver and obtain all incoming e-mail data.

--
Ease of Attack:
The DoS attack is trivial to execute, as only a password longer than 1500 characters needs to be submitted.  Compromise of the mailserver requires more skill, but exploits are available.

--
False Positives:
None known.

--
False Negatives:
None known

--
Corrective Action:
Upgrade XtraMail to the latest non-affected version of the software

--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Maarten Van Horenbeeck (maarten@daemon.be)
--
Additional References:

Nessus
http://cgi.nessus.org/plugins/dump.php3?id=10325

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1511

--