Re: POP Buffer Overflow

• From: "Christian Villeneuve" <Christian.Villeneuve@xxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 3 May 2002 10:06:20 -0400

Appreciate the feedback Thor,

Best regards

Chris
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx]
Sent: Friday, May 03, 2002 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: POP Buffer Overflow

http://www.ISAserver.org



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 06:41 AM 5/3/2002, you wrote:

>I only find this in the event log on the ISA server.
>
>Event Type:     Warning
>Event Source:   ISS Filter
>Event Category: None
>Event ID:       6
>Date:           4/30/2002
>Time:           5:32:00 PM
>User:           N/A
>Computer:       PATHFINDER
>Description:
>POP buffer overflow detected from 209.94.202.69:1617 to 206.X.X.X:110
>
>Chris


Basically, the POP Intrusion Detection filter (on by default) is picking
up
what it considers to be a an attack against a POP3 server.  Many
different
servers have had issues where very long commands submitted to the server
could cause a buffer overrun-  depending on the situation, successful
attacks would result in things like DoS or remote code execution.

The client at the above IP is submitting data that the filter thinks
could
be hostile, so it is filtering it out.  I could not find any information
on
what criteria the filter uses to make this determination, but since it
was
written by ISS, they may have some more information on it.   It is too
bad
that ISA does not provide more information than it does- the data that
caused the trigger really should be written to a log somewhere.  Kind of
like the SMTP traps- they tell you the command that caused the trigger,
but
don't tell you where it came from :(.

HTH some...

ttyt

T


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPNKXrYhsmyD15h5gEQLCBwCfU2W3oIv4WkbV4lDqwq3VDvqotngAnjOJ
Ld0AZAJvsELh2Aa7NdO6QxKK
=awCs
-----END PGP SIGNATURE-----


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Christian.Villeneuve@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » POP Buffer Overflow
• » Re: POP Buffer Overflow
• » Re: POP Buffer Overflow
• » Re: POP Buffer Overflow
• » Re: POP Buffer Overflow
• » Re: POP Buffer Overflow
• » Re: POP Buffer Overflow

1. Home
2. isalist
3. Archive
4. 05-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---