10.3 POP-2 and POP-3

Post Office Protocol Versions 2 and 3 (POP-2 and POP-3) are end-user email services. POP-2 services are rare nowadays because most organizations use POP-3 rather than TCP port 110. Common POP-3 email services include Qualcomm QPOP (also known as qpopper; it runs on many Unix platforms) and the POP-3 component of Microsoft Exchange. These services are traditionally vulnerable to brute-force password grinding and process-manipulation attacks, as discussed next.

10.3.1 POP-3 Brute-Force Password-Grinding

After performing enumeration and identifying local user accounts through Sendmail and other avenues, it is trivial to perform a brute-force password-grinding attack. As I've discussed throughout the book so far, tools such as Brutus and Hydra offer parallel password grinding to the masses.

You can use most POP-3 servers to launch frequently effective brute-force password-grinding attacks, for three reasons:

  • They don't pay attention to account lockout policies.

  • They allow a large number of login attempts before disconnecting.

  • They don't log unsuccessful login attempts.

Many specific Unix-based POP-3 brute-force tools exist and can be found in the Packet Storm archive, including:

http://packetstormsecurity.org/groups/ADM/ADM-pop.c
http://packetstormsecurity.org/Crackers/Pop_crack.tar.gz
http://packetstormsecurity.org/Crackers/hv-pop3crack.pl

10.3.2 POP-3 Process Manipulation Attacks

Both unauthenticated and authenticated process-manipulation attacks pose a serious threat to security. Most users who pick up email via POP-3 shouldn't be allowed to execute arbitrary commands on the POP-3 server; however, they can do so via post-authentication overflows in user commands such as LIST, RETR, or DELE.

10.3.2.1 Qualcomm QPOP process-manipulation vulnerabilities

At the time of writing the MITRE CVE list details a handful of vulnerabilities in Qualcomm QPOP (not including denial of service issues), as shown in Table 10-4. Serious post-authentication vulnerabilities are also listed in Table 10-4 because they allow users to execute arbitrary code.

Table 10-4. Remotely exploitable QPOP vulnerabilities

CVE name

Date

Notes

CVE-1999-0006

28/06/1998

QPOP 2.5 and prior PASS command overflow

CVE-1999-0822

29/11/1999

QPOP 3.0 AUTH command overflow

CVE-2000-0096

26/01/2000

QPOP 3.0 post-authentication LIST overflow

CVE-2000-0442

23/05/2000

QPOP 2.53 post-authentication EUIDL overflow

CVE-2001-1046

02/06/2001

QPOP 4.0 through 4.0.2 USER command overflow

CVE-2003-0143

10/03/2003

QPOP 4.x prior to 4.0.5fc2 post-authentication MDEF macro name overflow

Exploits for most of these bugs are publicly available from archives such as Packet Storm, as detailed here. If these links don't work, I have packaged the files at http://examples.oreilly.com/networksa/tools/qpop-exploits.tgz. At the time of writing, there are no public exploits for the USER overflow in CVE-2001-1046.


CVE-1999-0006

http://packetstormsecurity.org/9904-exploits/qpop242.c

http://packetstormsecurity.org/Exploit_Code_Archive/qpopper-bsd-xploit.c


CVE-1999-0822

http://packetstormsecurity.org/9911-exploits/qpop-sk8.c

http://packetstormsecurity.org/9911-exploits/q3smash.c

http://packetstormsecurity.org/0009-exploits/qpop3b.c


CVE-2000-0096

http://packetstormsecurity.org/0001-exploits/qpop-exploit-net.c

http://packetstormsecurity.org/0002-exploits/qpop-list.c


CVE-2000-0442

http://packetstormsecurity.org/0007-exploits/7350qpop.c

http://www.security.nnov.ru/files/qpopeuidl.c


CVE-2003-0143

http://www.security.nnov.ru/files/qex.c

http://www.exploitdatabase.com/upload/uploads/8/qex.c

10.3.2.2 Microsoft Exchange POP-3 process-manipulation vulnerabilities

At the time of writing, no serious remotely exploitable vulnerabilities are known in the Microsoft Exchange POP-3 server. Upon scouring the MITRE CVE list, ISS X-Force database, and CERT knowledge base, no publicized bugs were found. This fact may well change over time, so it is important to check these vulnerability lists to assure the security of this service component into the future.



     
    ASPTreeView.com
     
    Evaluation has Уё»ФМЛїё·expired.
    Info...