Possible security breach

[hescominsoon]

I am not including the code to use this exploit.



Hat-Squad Advisory: Remote Buffer overflow Vulnerability in YahooPOPS

September 22, 2004



Product: YahooPOPS!

Vendor URL: http://ypops.sourceforge.net

Version: YahooPOPS v0.4 up to v0.6

Vulnerability: Remote Buffer overflows

Release Date: 27 September 2004



Vendor Status:

Informed on 24 September 2004

Response: no response

Description:



YahooPOPs! Is an application that provides POP3 access to Yahoo! Mail. It is available on the Windows, Linux, Solaris and Mac platforms. This application emulates a POP3 & SMTP server. It also enables popular email clients like Outlook, Netscape, Eudora, Mozilla, etc., to download email from Yahoo! accounts. The Latest version of this Program is 0.6 and released in 23 May 2004 until now over 120000 users download this program.



Both POP3 and SMTP services have buffer overflow vulnerabilities. The Remote Attacker can send specific Request to these services to cause a Stack based buffer overflow which could allow a remote attacker to execute arbitrary code or just simply crash the service on a vulnerable system.



Details:



A YahooPOPS 0.x has the Local SMTP and POP3 engines to send and receive emails. SMTP service Dose not Enable By default. Users can enable SMTP by Software Options.



A POP3 USER request with more than 180 bytes will start to corrupt the heap.

POP3 request (Dos Attack):



Telnet localhost 110

+OK POP3 YahooPOPs! Proxy ready

[USER][180xA][BBBB]



As a result EAX and ECX will be overwritten.



SMTP request:

Sending a request with more than 504 bytes will overwrite ESP and cause a stack based overflow.





Telnet localhost 25

220 YahooPOPs! Simple Mail Transfer Service Ready

[504xA] [BBBB]



As a result The EIP registers will be overwritten.