10.3 POP-2 and POP-3

Post Office Protocol Versions 2 and 3 (POP-2 and POP-3) are end-user email services. POP-2 services are rare nowadays because most organizations use POP-3 rather than TCP port 110. Common POP-3 email services include Qualcomm QPOP (also known as qpopper; it runs on many Unix platforms) and the POP-3 component of Microsoft Exchange. These services are traditionally vulnerable to brute-force password grinding and process-manipulation attacks, as discussed next.

10.3.1 POP-3 Brute-Force Password-Grinding

After performing enumeration and identifying local user accounts through Sendmail and other avenues, it is trivial to perform a brute-force password-grinding attack. As I've discussed throughout the book so far, tools such as Brutus and Hydra offer parallel password grinding to the masses.

You can use most POP-3 servers to launch frequently effective brute-force password-grinding attacks, for three reasons:

• They don't pay attention to account lockout policies.

• They allow a large number of login attempts before disconnecting.

• They don't log unsuccessful login attempts.

Many specific Unix-based POP-3 brute-force tools exist and can be found in the Packet Storm archive, including:

http://packetstormsecurity.org/groups/ADM/ADM-pop.c

http://packetstormsecurity.org/Crackers/Pop_crack.tar.gz

http://packetstormsecurity.org/Crackers/hv-pop3crack.pl

10.3.2 POP-3 Process Manipulation Attacks

Both unauthenticated and authenticated process-manipulation attacks pose a serious threat to security. Most users who pick up email via POP-3 shouldn't be allowed to execute arbitrary commands on the POP-3 server; however, they can do so via post-authentication overflows in user commands such as LIST, RETR, or DELE.

10.3.2.1 Qualcomm QPOP process-manipulation vulnerabilities

At the time of writing the MITRE CVE list details a handful of vulnerabilities in Qualcomm QPOP (not including denial of service issues), as shown in Table 10-4. Serious post-authentication vulnerabilities are also listed in Table 10-4 because they allow users to execute arbitrary code.

Exploits for most of these bugs are publicly available from archives such as Packet Storm, as detailed here. If these links don't work, I have packaged the files at http://examples.oreilly.com/networksa/tools/qpop-exploits.tgz. At the time of writing, there are no public exploits for the USER overflow in CVE-2001-1046.

CVE-1999-0006

http://packetstormsecurity.org/9904-exploits/qpop242.c

http://packetstormsecurity.org/Exploit_Code_Archive/qpopper-bsd-xploit.c

CVE-1999-0822

http://packetstormsecurity.org/9911-exploits/qpop-sk8.c

http://packetstormsecurity.org/9911-exploits/q3smash.c

http://packetstormsecurity.org/0009-exploits/qpop3b.c

CVE-2000-0096

http://packetstormsecurity.org/0001-exploits/qpop-exploit-net.c

http://packetstormsecurity.org/0002-exploits/qpop-list.c

CVE-2000-0442

http://packetstormsecurity.org/0007-exploits/7350qpop.c

http://www.security.nnov.ru/files/qpopeuidl.c

CVE-2003-0143

http://www.security.nnov.ru/files/qex.c

http://www.exploitdatabase.com/upload/uploads/8/qex.c

10.3.2.2 Microsoft Exchange POP-3 process-manipulation vulnerabilities

At the time of writing, no serious remotely exploitable vulnerabilities are known in the Microsoft Exchange POP-3 server. Upon scouring the MITRE CVE list, ISS X-Force database, and CERT knowledge base, no publicized bugs were found. This fact may well change over time, so it is important to check these vulnerability lists to assure the security of this service component into the future.