Rule: -- Sid: 1930 -- Summary: This event is generated when a remote attacker sends an overly long argument in the AUTH command to an internal IMAP server, indicating an attempt to exploit a buffer overflow vulnerability in Netscape Messaging Server and University of Washington IMAP implementations. -- Impact: Remote execution of arbitrary code with the security privileges of the IMAP process, possibly leading to remote root compromise. -- Detailed Information: A buffer overflow vulnerability exists in the AUTHENTICATE command in University of Washington IMAP and Netscape Messaging Server. This can allow a remote attacker to send an AUTHENTICATE command with a malformed, overlong argument to a vulnerable IMAP server, causing a buffer overflow condition. The attacker can then execute arbitrary code on the server with the security privileges of the IMAP server process. -- Affected Systems: Any operating system running Netscape Messaging Server 3.55 and earlier or University of Washington imapd 10.234 and earlier. -- Attack Scenarios: An attacker sends an overly long, malformed argument to an AUTHENTICATE command to a vulnerable IMAP server, causing a buffer overflow condition. The attacker is then able to execute arbitrary code on the server with the security privileges of the IMAP server process. -- Ease of Attack: Simple. Exploits exist. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Patches have been released for both UW IMAP and Netscape Messaging Server. Apply the patch or upgrade to a Netscape Messaging Server version higher than 3.55 or UW IMAP version higher than 10.234. -- Contributors: Original rule written by Brian Caswell <bmc@sourcefire.com> Sourcefire Research Team Sourcefire Technical Publications Team Jennifer Harvey <jennifer.harvey@sourcefire.com> -- Additional References: Bugtraq http://www.securityfocus.com/bid/130 --