1634.txt

来自「snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具」· 文本 代码 · 共 73 行

Rule:

--
Sid:
1634

--
Summary: 
This event is generated when an attempt is made to exploit a known
vulnerability in Artisoft XtraMail v1.11 mailserver.

--
Impact:
When succesfully exploited, the remote attacker can crash the POP3
service and possibly execute arbitrary code on the mailserver.

--
Detailed Information:
The PASS argument, used to submit authentication credentials to the 
POP3 server XtraMail 1.11, has an exploitable buffer overflow condition 
If a password of more than 1500 characters is submitted, the
service will crash.  This error may be exploitable further, and could 
then allow the attacker to execute arbitrary code on the remote system, 
under the LocalSystem account.

--
Affected Systems:
	All POP3 servers running Artisoft Xtramail 1.11 on Windows.

--
Attack Scenarios:
An attacker could crash the POP server, thereby denying
legitimate users access to their e-mail.  Skilled attackers could
compromise the mailserver and obtain all incoming e-mail data.

--
Ease of Attack:
The DoS attack is trivial to execute, as only a password
longer than 1500 characters needs to be submitted.  Compromise of the
mailserver requires more skill, but exploits are available.

--
False Positives:
None known.

--
False Negatives:
None known

--
Corrective Action:
Upgrade XtraMail to the latest non-affected version of the software

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Maarten Van Horenbeeck (maarten@daemon.be)
--
Additional References:

Nessus
http://cgi.nessus.org/plugins/dump.php3?id=10325

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1511

Bugtraq
http://www.securityfocus.com/bid/791

--