[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: popper protection

From: Ramon Gandia <rfg nook net>
To: redhat-list redhat com
Subject: Re: popper protection
Date: Mon, 01 Mar 1999 01:25:05 -0900

Philippe Platiau wrote:
> 
> Sorry, but I forgot to send you an example:
> 
> Feb 28 01:34 my_hostname popper[1351]: [truncated] @pm117.bhnet.comm.br:
> -ERR Unknown command: "^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P..."
> 
> I suppose it's correct and that it's protected
>  but...

This is a username buffer overflow attack.  Its done by
telnetting to your mailserver port 110 and entering at least
130 control-P's like the guy was trying to do.  If your
pop server is vulnerable, it will crash leaving the
intruder at a root prompt on your machine.

This same attack also works on NFS.

You need to make sure you have the latest versions of
your POP server software and NFS to protect yourself against
this sort of attack.  Basically, these vulnerabilities were
discovered in mid 1998 or earlier, so RedHat 5.2 should be
safe.

The other one is the IMAP server, which is vulnerable on some
early CD's of Redhat 5.2.  Be sure you have imap turned off
in /etc/inetd.conf and that you do a "prompt # kill -HUP inetd"
to make the change effective.

-- 
Ramon Gandia ================= Sysadmin ================ Nook Net
http://www.nook.net                                  rfg nook net
285 West First Avenue                           tel. 907-443-7575
P.O. Box 970                                    fax. 907-443-2487
Nome, Alaska 99762-0970 ========== Alaska Toll Free. 888-443-7525

Follow-Ups:
- RE: popper protection
  - From: Tony Johnson

References:
- popper protection
  - From: Philippe Platiau

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]