Rule: -- Sid: 1634 -- Summary: This event is generated when an attempt is made to exploit a known vulnerability in Artisoft XtraMail v1.11 mailserver. -- Impact: When succesfully exploited, the remote attacker can crash the POP3 service and possibly execute arbitrary code on the mailserver. -- Detailed Information: The PASS argument, used to submit authentication credentials to the POP3 server XtraMail 1.11, has an exploitable buffer overflow condition If a password of more than 1500 characters is submitted, the service will crash. This error may be exploitable further, and could then allow the attacker to execute arbitrary code on the remote system, under the LocalSystem account. -- Affected Systems: All POP3 servers running Artisoft Xtramail 1.11 on Windows. -- Attack Scenarios: An attacker could crash the POP server, thereby denying legitimate users access to their e-mail. Skilled attackers could compromise the mailserver and obtain all incoming e-mail data. -- Ease of Attack: The DoS attack is trivial to execute, as only a password longer than 1500 characters needs to be submitted. Compromise of the mailserver requires more skill, but exploits are available. -- False Positives: None known. -- False Negatives: None known -- Corrective Action: Upgrade XtraMail to the latest non-affected version of the software -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> Snort documentation contributed by Maarten Van Horenbeeck (maarten@daemon.be) -- Additional References: Nessus http://cgi.nessus.org/plugins/dump.php3?id=10325 CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1511 Bugtraq http://www.securityfocus.com/bid/791 --