Rule: -- Sid: 2409 -- Summary: This event is generated when an attempt is made to overflow a buffer by supplying a very long username to an APOP POP3 service. -- Impact: Serious. Several POP3 servers are vulnerable to USER buffer overflows. -- Detailed Information: By supplying more than 626 bytes of data to the APOP USER command on 1st Class Internet Solutions' 1st Class Mail Server, an attacker may overflow a buffer resulting in the opportunity to execute code of their choosing on the targeted machine with the privileges of the user running the service. Other Mail software may be prone to this attack. -- Affected Systems: 1st Class Mail Server -- Attack Scenarios: An attacker may connect to the service and supply an over-long username to overflow the buffer. -- Ease of Attack: Simple. -- False Positives: None known. -- False Negatives: None known -- Corrective Action: Apply the appropriate vendor supplied patches. Upgrade to the latest non-affected version of the software. Check for other events generated by the source IP address. -- Contributors: Sourcefire Research Team Matt Watchinski <mwatchinski@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --
