Tutorial - POP Version

POP Version

Updated 3/17/03
CVE 1999-0006
CVE 1999-0042
CVE 2000-0442
CVE 2001-0442
CVE 2001-1046
CAN 2001-0443
CAN 2003-0143

Impact

Remote users can obtain root access on systems running a vulnerable POP server. Access to an account on the system is not needed to exploit this vulnerability.

Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The severity level in any given instance is indicated by the colored dot preceding the link to this tutorial.

Background

The current version of IMAP (Internet Message Access Protocol) supports both online and offline operation, permitting manipulation of remote message folders. It provides access to multiple mailboxes (possibly on multiple servers), and supports nested mailboxes as well as resynchronization with the server. The current version also provides a user with the ability to create, delete, and rename mailboxes.

POP (Post Office Protocol) was designed to support offline mail processing. That is, the client connects to the server to download mail that the server is holding for the client. The mail is deleted from the server and is handled offline (locally) on the client machine.

The Problem

In the implementation of both protocols on a UNIX system, the server must run with root privileges so it can access mail folders and undertake some file manipulation on behalf of the user logging in. After login, these privileges are discarded. However, in at least the University of Washington's implementation, a vulnerability exists in the way the login transaction is handled. This vulnerability can be exploited to gain privileged access on the server. By transmitting carefully crafted text to a system running a vulnerable version of these servers, remote users may be able to cause a buffer overflow and execute arbitrary instructions with root privileges.

Vulnerable versions of POP include University of Washington ipop2 versions prior to 2.3(32) and ipop3 version 3.3(27) or older, QPOP versions 2.5 or older and beta versions 3.0b20 or older, and others.

CAN 2001-0443
Unrelated but similar vulnerabilities affect QVT/Net popd 4.20 (part of QVT/Net 5.0 suite) and earlier and Mercury MTA for Netware, running Mercury prior to 1.48 or Netware prior to 4.11. See the advisories listed at the bottom of this tutorial for a complete list of vulnerable POP servers.

CVE 2000-0442
Three more recent vulnerabilities have been discovered which affect QPOP versions. The first is caused by the fact that the euidl command does not properly validate user input. This command could be used with a specially crafted e-mail message to gain shell access to the server with privileges of the mail group. A valid account name and password would be required to exploit this vulnerability. QPOP version 2.53 and earlier are affected.

2/5/02
CVE 2001-1046
The second vulnerability is a buffer overflow in the processing of the user's login name. By supplying a specially crafted name longer than 63 characters, a remote attacker could crash the service or execute arbitrary commands. QPOP versions 4.0 through 4.0.2 are affected by this vulnerability.

3/17/03
CAN 2003-0143
The third vulnerability is in Qvsnprintf, which is QPOP's own implementation of the vsnprintf function call. A failure to add a terminating null byte when creating long strings could cause a buffer overflow during subsequent calls to the strcat function, thus allowing the execution of commands. A valid account name and password are required to exploit this vulnerability, and commands would be executed with the privileges of that user, so the vulnerability would not allow any additional privileges on systems which already allow shell access by mail user accounts. It would only be a concern on systems which do not allow shell access by mail users. QPOP 4.0.4 and earlier are affected.

Resolution

Telnet to port 109 and 110 of your server to find out what version of POP is running. Sites running vulnerable versions of the University of Washington POP server should upgrade to the latest version, available in the IMAP toolkit. Sites running a vulnerable version of QPOP should upgrade to the latest version. See the QPOP home page. Sites running other vulnerable versions of POP can find fix information from their particular vendor in one of the documents listed at the bottom of this tutorial.

Until you can take one of the above actions, temporarily disable the POP service. On many systems, you will need to edit the /etc/inetd.conf file. However, you should check your vendor's documentation because systems vary in file location and the exact changes required (for example, sending the inetd process a HUP signal or killing and restarting the daemon). If you are not able to temporarily disable the POP service, then you should at least limit access to the vulnerable services to machines in your local network. This can be done by installing TCP wrappers, not only for logging but also for access control. Note: Even with access control via TCP wrappers, you are still vulnerable to attacks from hosts that are allowed to connect to the vulnerable POP service.

Where can I read more about this?

Read more about this vulnerability in CIAC Bulletin K-009, CERT Advisory 98.08, and CERT Advisory 97.09. The vulnerability in the euidl command is discussed in a posting to Bugtraq. The login name buffer overflow affecting QPopper was reported in an X-Force Alert. The vulnerability in Qpopper's Qvsnprintf command was posted to Bugtraq. The vulnerabilities in QVT/Net and Mercury were posted to Bugtraq.