Vulnerabilities > CVE-2002-0799 - Unspecified vulnerability in Youngzsoft Cmailserver 3.30

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
youngzsoft
nessus
exploit available

Summary

Buffer overflow in YoungZSoft CMailServer 3.30 allows remote attackers to execute arbitrary code via a long USER argument.

Vulnerable Configurations

Part Description Count
Application
Youngzsoft
1

Exploit-Db

  • descriptionYoungZSoft 3.30/4.0 CMailServer Buffer Overflow Vulnerability (1). CVE-2002-0799. Remote exploit for windows platform
    idEDB-ID:21466
    last seen2016-02-02
    modified2002-05-20
    published2002-05-20
    reporteranonymous
    sourcehttps://www.exploit-db.com/download/21466/
    titleYoungZSoft 3.30/4.0 CMailServer Buffer Overflow Vulnerability 1
  • descriptionYoungZSoft 3.30/4.0 CMailServer Buffer Overflow Vulnerability (2). CVE-2002-0799. Remote exploit for windows platform
    idEDB-ID:21467
    last seen2016-02-02
    modified2002-05-21
    published2002-05-21
    reporterOver_G
    sourcehttps://www.exploit-db.com/download/21467/
    titleYoungZSoft 3.30/4.0 CMailServer Buffer Overflow Vulnerability 2

Nessus

NASL familyGain a shell remotely
NASL idPOP3_OVERFLOW.NASL
descriptionThe remote POP3 server might be vulnerable to a buffer overflow bug when it is issued at least one of these commands, with a too long argument : AUTH USER PASS If confirmed, this problem might allow an attacker to execute arbitrary code on the remote system.
last seen2020-06-01
modified2020-06-02
plugin id10184
published1999-06-22
reporterThis script is Copyright (C) 1999-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10184
titleMultiple Vendor POP3 Remote Overflows
code
#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
#      Erik Anderson <[email protected]>
#      This one script can and does test for numerous BugIDs and CVEs.  Added reference
#           links to all posted vulnerabilities with boundary lengths less than
#           the currrent script value of 2048.
#           All of these posted in the Bugtraq Database appear vulnerable (not tested).
#           Links are current up to 11/16/2002
#

include("compat.inc");

if (description)
{
 script_id(10184);
 script_version("1.56");
 script_cvs_date("Date: 2018/11/15 20:50:22");

 script_cve_id("CVE-1999-0822", "CVE-2000-0091", "CVE-2001-0776", "CVE-2001-1046", "CVE-2002-0454", "CVE-2002-0799", "CVE-2002-1781");
 script_bugtraq_id(2781, 2811, 4055, 4295, 4789, 790, 830, 942);

 script_name(english:"Multiple Vendor POP3 Remote Overflows");
 script_summary(english:"Attempts to overflow the in.pop3d buffers");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code may be run on the remote server.");
 script_set_attribute(attribute:"description", value:
"The remote POP3 server might be vulnerable to a buffer overflow bug
when it is issued at least one of these commands, with a too long
argument :

 AUTH USER PASS

If confirmed, this problem might allow an attacker to execute
arbitrary code on the remote system.");
 script_set_attribute(attribute:"solution", value:
"If you do not use POP3, disable this service. Otherwise, upgrade to a
newer version.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20030217185907/http://online.securityfocus.com:80/archive/1/27197");

 script_set_attribute(attribute:"vuln_publication_date", value:"1999/11/30");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_DESTRUCTIVE_ATTACK);
 script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
 script_family(english:"Gain a shell remotely");

 script_dependencie("find_service1.nasl", "qpopper.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_exclude_keys("global_settings/supplied_logins_only");
 script_require_ports("Services/pop3", 110);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

to = get_read_timeout();

port = get_service(svc: "pop3", default: 110, exit_on_fail: 1);
fake = get_kb_item("pop3/"+port+"/false_pop3");
if(fake)exit(0);

soc = open_sock_tcp(port);
if (!soc) exit(0);

  d = recv_line(socket:soc, length:1024);
  if (!d || d !~ '^\\+OK') { close(soc); exit(0); }	# Not a POP3 server
  if ( egrep(pattern:"Qpopper.*4", string:d) ) exit(0);

  c = strcat('AUTH ', crap(2048), '\r\n');
  send(socket:soc, data:c);
  d = recv_line(socket:soc, length:1024, timeout: 3*to);
  if(!d)security_hole(port);
  else {
	if ( "-ERR Input buffer full, aborting" >< d ) exit(0, "Dovecot - not vulnerable");
  	c = strcat('USER ', crap(1024), '\r\n');
	send(socket:soc, data:c);
	d = recv_line(socket:soc, length:1024, timeout: 3*to);
	if(!d)security_hole(port);
	else
	{
	 if ( "-ERR Input buffer full, aborting" >< d ) exit(0, "Dovecot - not vulnerable");
	 c = strcat('PASS ', crap(1024), '\r\n');
	 send(socket:soc, data:c);
	 d = recv_line(socket:soc, length:1024, timeout: 3*to);
	 if(!d)security_hole(port);
	}
       }
   close(soc);