ID QPOPPER2.NASL Type nessus Reporter Tenable Modified 2018-08-22T00:00:00
Description
The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.
This test could not confirm the existence of the
problem - it relied on the banner being returned.
#
# This script was written by Thomas reinke <reinke@securityspace.com>
#
# See the Nessus Scripts License for details
#
# Changes by Tenable:
# - description moved, bugfix [RD]
# - Revised plugin title (8/6/09)
include("compat.inc");
if(description)
{
script_id(10948);
script_version ("1.18");
script_cve_id("CVE-2001-1046");
script_bugtraq_id(2811);
script_name(english:"Qpopper .qpopper-options Username Handling Overflow");
script_set_attribute(attribute:"synopsis", value:
"The remote mail server is affected by a remote buffer overflow
vulnerability." );
script_set_attribute(attribute:"description", value:
"The remote Qpopper server, according to its banner, is running version
4.0.3 or version 4.0.4. These versions are vulnerable to a buffer
overflow if they are configured to allow the processing of a user's
~/.qpopper-options file. A local user can cause a buffer overflow by
setting the 'bulldir' variable to something longer than 256 characters.
*** This test could not confirm the existence of the
*** problem - it relied on the banner being returned." );
# https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e8c930d6" );
script_set_attribute(attribute:"solution", value:
"There is no known solution at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2002/05/02");
script_set_attribute(attribute:"vuln_publication_date", value: "2001/04/20");
script_cvs_date("Date: 2018/08/22 16:49:14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"Qpopper options buffer overflow");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002-2018 Thomas Reinke");
script_family(english:"Misc.");
script_dependencie("find_service1.nasl");
script_require_ports("Services/pop3", 110);
exit(0);
}
#
# The script code starts here
#
port = get_kb_item("Services/pop3");
if(!port)port = 110;
banner = get_kb_item(string("pop3/banner/", port));
if(!banner)
{
if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(!soc)exit(0);
banner = recv_line(socket:soc, length:4096);
}
}
if(banner)
{
if(ereg(pattern:".*Qpopper.*version (4\.0\.[34]).*", string:banner, icase:TRUE))
{
security_hole(port);
}
}
exit(0);
{"id": "QPOPPER2.NASL", "bulletinFamily": "scanner", "title": "Qpopper .qpopper-options Username Handling Overflow", "description": "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "published": "2002-05-02T00:00:00", "modified": "2018-08-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "reporter": "Tenable", "references": ["http://www.nessus.org/u?e8c930d6"], "cvelist": ["CVE-2001-1046"], "type": "nessus", "lastseen": "2019-02-21T01:07:43", "history": [{"lastseen": "2018-09-01T23:54:47", "edition": 6, "differentElements": ["description"], "bulletin": {"lastseen": "2018-09-01T23:54:47", "references": ["http://www.nessus.org/u?e8c930d6"], "pluginID": "10948", "description": "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "edition": 6, "reporter": "Tenable", "history": [], "published": "2002-05-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Qpopper .qpopper-options Username Handling Overflow", "type": "nessus", "objectVersion": "1.3", "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1046"], "cpe": [], "modified": "2018-08-22T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "id": "QPOPPER2.NASL", "viewCount": 2, "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8c930d6\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"Date: 2018/08/22 16:49:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hashmap": [{"hash": "494788acae05b0531a634d496633a677", "key": "sourceData"}, {"hash": "6e04df31f1bbb1c02666d0dfa3638f76", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "17762a209a2c8428802b5ba2f988e880", "key": "cvelist"}, {"hash": "71bc5ce2c6c2082eec188cd6e47cddff", "key": "modified"}, {"hash": "eaabff64c0b327ace227cfdee8caea1a", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "4c7ad6b3401702531bcd393314d86001", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6f82ce60af0183bb67f29d2952920b0a", "key": "description"}, {"hash": "3aec5110fd8334348304f772f06b3fca", "key": "href"}, {"hash": "56a4e00ad279376720ace8803762cd32", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "hash": "d26524c50c9ca96c11d6a8fe171389083d7a298fc6543b124fb1419234d3c53c"}}, {"lastseen": "2016-09-26T17:25:23", "edition": 1, "differentElements": ["references", "modified", "sourceData"], "bulletin": {"lastseen": "2016-09-26T17:25:23", "references": ["http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html"], "pluginID": "10948", "description": "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "edition": 1, "reporter": "Tenable", "history": [], "published": "2002-05-02T00:00:00", "title": "Qpopper .qpopper-options Username Handling Overflow", "type": "nessus", "objectVersion": "1.2", "naslFamily": "Misc.", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-1046"], "modified": "2011-03-11T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "id": "QPOPPER2.NASL", "viewCount": 0, "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title, added OSVDB ref (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"$Revision: 1.15 $\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n script_osvdb_id(776);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"$Date: 2011/03/11 21:52:38 $\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2011 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6e04df31f1bbb1c02666d0dfa3638f76", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "17762a209a2c8428802b5ba2f988e880", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "0b641e186e1f68945e42e99b9bd4fbd7", "key": "modified"}, {"hash": "922cd6c4f31db3e79fe72f876e5d6571", "key": "sourceData"}, {"hash": "4c7ad6b3401702531bcd393314d86001", "key": "published"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6f82ce60af0183bb67f29d2952920b0a", "key": "description"}, {"hash": "3aec5110fd8334348304f772f06b3fca", "key": "href"}, {"hash": "56a4e00ad279376720ace8803762cd32", "key": "title"}, {"hash": "80b4645203a91d2cec7b053e7210d25b", "key": "references"}], "hash": "f2941bc742ca5f4fe2bf52512a053835a0e75b3eebbb1a263f2a9e98b66100d9"}}, {"lastseen": "2016-11-02T21:26:02", "edition": 2, "differentElements": ["modified", "sourceData"], "bulletin": {"lastseen": "2016-11-02T21:26:02", "references": ["http://www.nessus.org/u?e8c930d6"], "pluginID": "10948", "description": "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "edition": 2, "reporter": "Tenable", "history": [], "published": "2002-05-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Qpopper .qpopper-options Username Handling Overflow", "type": "nessus", "objectVersion": "1.2", "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1046"], "cpe": [], "modified": "2016-11-02T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "id": "QPOPPER2.NASL", "viewCount": 1, "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title, added OSVDB ref (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"$Revision: 1.16 $\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n script_osvdb_id(776);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8c930d6\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"$Date: 2016/11/02 14:37:08 $\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2016 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hashmap": [{"hash": "6e04df31f1bbb1c02666d0dfa3638f76", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "17762a209a2c8428802b5ba2f988e880", "key": "cvelist"}, {"hash": "eaabff64c0b327ace227cfdee8caea1a", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "6249051a0279d3205c62b5abbee8dab7", "key": "modified"}, {"hash": "0396b31adf9bf5084f7c4c01ac8f5604", "key": "sourceData"}, {"hash": "4c7ad6b3401702531bcd393314d86001", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6f82ce60af0183bb67f29d2952920b0a", "key": "description"}, {"hash": "3aec5110fd8334348304f772f06b3fca", "key": "href"}, {"hash": "56a4e00ad279376720ace8803762cd32", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "hash": "e5d61b0084ca0eb3cffa6e57cbb1a546a9ae5732b613a85e7fd5b4a090054646"}}, {"lastseen": "2018-08-23T17:52:56", "edition": 4, "differentElements": ["cvss"], "bulletin": {"lastseen": "2018-08-23T17:52:56", "references": ["http://www.nessus.org/u?e8c930d6"], "pluginID": "10948", "description": "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "edition": 4, "reporter": "Tenable", "history": [], "published": "2002-05-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Qpopper .qpopper-options Username Handling Overflow", "type": "nessus", "objectVersion": "1.3", "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1046"], "cpe": [], "modified": "2018-08-22T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "id": "QPOPPER2.NASL", "viewCount": 1, "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8c930d6\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"Date: 2018/08/22 16:49:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hashmap": [{"hash": "494788acae05b0531a634d496633a677", "key": "sourceData"}, {"hash": "6e04df31f1bbb1c02666d0dfa3638f76", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "17762a209a2c8428802b5ba2f988e880", "key": "cvelist"}, {"hash": "71bc5ce2c6c2082eec188cd6e47cddff", "key": "modified"}, {"hash": "eaabff64c0b327ace227cfdee8caea1a", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "4c7ad6b3401702531bcd393314d86001", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6f82ce60af0183bb67f29d2952920b0a", "key": "description"}, {"hash": "3aec5110fd8334348304f772f06b3fca", "key": "href"}, {"hash": "56a4e00ad279376720ace8803762cd32", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "hash": "d26524c50c9ca96c11d6a8fe171389083d7a298fc6543b124fb1419234d3c53c"}}, {"lastseen": "2019-01-16T20:05:15", "edition": 7, "differentElements": ["description"], "bulletin": {"lastseen": "2019-01-16T20:05:15", "references": ["http://www.nessus.org/u?e8c930d6"], "pluginID": "10948", "description": "The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "edition": 7, "reporter": "Tenable", "history": [], "published": "2002-05-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}, "dependencies": {"references": [{"idList": ["POP3_OVERFLOW.NASL"], "type": "nessus"}, {"idList": ["CVE-2001-1046"], "type": "cve"}, {"idList": ["OSVDB:776"], "type": "osvdb"}, {"idList": ["OPENVAS:10948", "OPENVAS:136141256231010948"], "type": "openvas"}], "modified": "2019-01-16T20:05:15"}}, "title": "Qpopper .qpopper-options Username Handling Overflow", "type": "nessus", "objectVersion": "1.3", "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1046"], "cpe": [], "modified": "2018-08-22T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "id": "QPOPPER2.NASL", "viewCount": 2, "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8c930d6\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"Date: 2018/08/22 16:49:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hashmap": [{"hash": "494788acae05b0531a634d496633a677", "key": "sourceData"}, {"hash": "6e04df31f1bbb1c02666d0dfa3638f76", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "17762a209a2c8428802b5ba2f988e880", "key": "cvelist"}, {"hash": "71bc5ce2c6c2082eec188cd6e47cddff", "key": "modified"}, {"hash": "eaabff64c0b327ace227cfdee8caea1a", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "a6c7c492d294f080743f079ba96d4f5e", "key": "description"}, {"hash": "4c7ad6b3401702531bcd393314d86001", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3aec5110fd8334348304f772f06b3fca", "key": "href"}, {"hash": "56a4e00ad279376720ace8803762cd32", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "hash": "164ce9661e1d2b5638a6f63a3a8de960abfeef54a4993d8e0a5228f0c2923000"}}, {"lastseen": "2018-08-30T19:48:24", "edition": 5, "differentElements": ["cvss"], "bulletin": {"lastseen": "2018-08-30T19:48:24", "references": ["http://www.nessus.org/u?e8c930d6"], "pluginID": "10948", "description": "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "edition": 5, "reporter": "Tenable", "history": [], "published": "2002-05-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Qpopper .qpopper-options Username Handling Overflow", "type": "nessus", "objectVersion": "1.3", "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1046"], "cpe": [], "modified": "2018-08-22T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "id": "QPOPPER2.NASL", "viewCount": 2, "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8c930d6\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"Date: 2018/08/22 16:49:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}, "hashmap": [{"hash": "494788acae05b0531a634d496633a677", "key": "sourceData"}, {"hash": "6e04df31f1bbb1c02666d0dfa3638f76", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "17762a209a2c8428802b5ba2f988e880", "key": "cvelist"}, {"hash": "71bc5ce2c6c2082eec188cd6e47cddff", "key": "modified"}, {"hash": "eaabff64c0b327ace227cfdee8caea1a", "key": "references"}, {"hash": "4c7ad6b3401702531bcd393314d86001", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6f82ce60af0183bb67f29d2952920b0a", "key": "description"}, {"hash": "3aec5110fd8334348304f772f06b3fca", "key": "href"}, {"hash": "56a4e00ad279376720ace8803762cd32", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "hash": "f7f2916f861be3b12b2b030f24fdde5a6f86c027bfd96d35e6c9635e69f71d8e"}}, {"lastseen": "2018-07-30T14:06:23", "edition": 3, "differentElements": ["modified", "sourceData"], "bulletin": {"lastseen": "2018-07-30T14:06:23", "references": ["http://www.nessus.org/u?e8c930d6"], "pluginID": "10948", "description": "The remote Qpopper server, according to its banner, is running version 4.0.3 or version 4.0.4. These versions are vulnerable to a buffer overflow if they are configured to allow the processing of a user's ~/.qpopper-options file. A local user can cause a buffer overflow by setting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "edition": 3, "reporter": "Tenable", "history": [], "published": "2002-05-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Qpopper .qpopper-options Username Handling Overflow", "type": "nessus", "objectVersion": "1.3", "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1046"], "cpe": [], "modified": "2018-07-25T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10948", "id": "QPOPPER2.NASL", "viewCount": 1, "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title, added OSVDB ref (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"1.17\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8c930d6\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"Date: 2018/07/25 18:58:04\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hashmap": [{"hash": "6e04df31f1bbb1c02666d0dfa3638f76", "key": "pluginID"}, {"hash": "8825cfcc6a68eb22807158b2fdce98f8", "key": "modified"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "17762a209a2c8428802b5ba2f988e880", "key": "cvelist"}, {"hash": "eaabff64c0b327ace227cfdee8caea1a", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "4c7ad6b3401702531bcd393314d86001", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6f82ce60af0183bb67f29d2952920b0a", "key": "description"}, {"hash": "3aec5110fd8334348304f772f06b3fca", "key": "href"}, {"hash": "56a4e00ad279376720ace8803762cd32", "key": "title"}, {"hash": "d50083a9594fabfdce7457ce8c2e1e10", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "hash": "90352aae8b0b27f7d14fd8f85aefa30b4504640decec1abcf6812f34ed687cc9"}}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "17762a209a2c8428802b5ba2f988e880"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "6f82ce60af0183bb67f29d2952920b0a"}, {"key": "href", "hash": "3aec5110fd8334348304f772f06b3fca"}, {"key": "modified", "hash": "71bc5ce2c6c2082eec188cd6e47cddff"}, {"key": "naslFamily", "hash": "f988dc6e0b4d047c838adcca890ea132"}, {"key": "pluginID", "hash": "6e04df31f1bbb1c02666d0dfa3638f76"}, {"key": "published", "hash": "4c7ad6b3401702531bcd393314d86001"}, {"key": "references", "hash": "eaabff64c0b327ace227cfdee8caea1a"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "494788acae05b0531a634d496633a677"}, {"key": "title", "hash": "56a4e00ad279376720ace8803762cd32"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "d26524c50c9ca96c11d6a8fe171389083d7a298fc6543b124fb1419234d3c53c", "viewCount": 2, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"idList": ["POP3_OVERFLOW.NASL"], "type": "nessus"}, {"idList": ["CVE-2001-1046"], "type": "cve"}, {"idList": ["OSVDB:776"], "type": "osvdb"}, {"idList": ["OPENVAS:10948", "OPENVAS:136141256231010948"], "type": "openvas"}], "modified": "2019-01-16T20:05:15"}, "vulnersScore": 7.2}, "objectVersion": "1.3", "sourceData": "#\n# This script was written by Thomas reinke <reinke@securityspace.com>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - description moved, bugfix [RD]\n# - Revised plugin title (8/6/09)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10948);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2001-1046\");\n script_bugtraq_id(2811);\n\n script_name(english:\"Qpopper .qpopper-options Username Handling Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by a remote buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Qpopper server, according to its banner, is running version\n4.0.3 or version 4.0.4. These versions are vulnerable to a buffer\noverflow if they are configured to allow the processing of a user's \n~/.qpopper-options file. A local user can cause a buffer overflow by \nsetting the 'bulldir' variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\" );\n # https://web.archive.org/web/20020220095916/http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8c930d6\" );\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known solution at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/05/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/04/20\");\n script_cvs_date(\"Date: 2018/08/22 16:49:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Thomas Reinke\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_hole(port);\n }\n}\nexit(0);\n", "naslFamily": "Misc.", "pluginID": "10948", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2017-10-10T10:34:45", "bulletinFamily": "NVD", "description": "Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2 allows remote attackers to gain privileges via a long username.", "modified": "2017-10-09T21:29:58", "published": "2001-06-02T00:00:00", "id": "CVE-2001-1046", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1046", "title": "CVE-2001-1046", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-12-08T11:44:12", "bulletinFamily": "scanner", "description": "The remote qpopper server, according to its banner, is\nrunning version 4.0.3 or version 4.0.4. These versions\nare vulnerable to a buffer overflow if they are configured\nto allow the processing of a user's ~/.qpopper-options file.\nA local user can cause a buffer overflow by setting the\nbulldir variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=10948", "id": "OPENVAS:10948", "title": "qpopper options buffer overflow", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: qpopper2.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: qpopper options buffer overflow\n#\n# Authors:\n# Thomas reinke <reinke@securityspace.com>\n# Changes by rd: description moved, bugfix\n#\n# Copyright:\n# Copyright (C) 2002 Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_solution = \"Upgrade to the latest version, or disable\nprocessing of user option files.\";\n\ntag_summary = \"The remote qpopper server, according to its banner, is\nrunning version 4.0.3 or version 4.0.4. These versions\nare vulnerable to a buffer overflow if they are configured\nto allow the processing of a user's ~/.qpopper-options file.\nA local user can cause a buffer overflow by setting the\nbulldir variable to something longer than 256 characters.\n\n*** This test could not confirm the existence of the\n*** problem - it relied on the banner being returned.\";\n\nif(description)\n{\n script_id(10948);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(2811);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2001-1046\");\n name = \"qpopper options buffer overflow\";\n script_name(name);\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n \n script_copyright(\"This script is Copyright (C) 2002 Thomas Reinke\");\n \n family = \"Buffer overflow\";\n \n script_family(family);\n script_dependencies(\"find_service.nasl\");\n script_require_ports(\"Services/pop3\", 110);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/pop3\");\nif(!port)port = 110;\n\nbanner = get_kb_item(string(\"pop3/banner/\", port));\nif(!banner)\n{\n if(get_port_state(port))\n {\n\tsoc = open_sock_tcp(port);\n\tif(!soc)exit(0);\n\tbanner = recv_line(socket:soc, length:4096);\n }\n}\n\nif(banner)\n{\n \n if(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE))\n {\n\tsecurity_message(port);\n }\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-28T12:05:58", "bulletinFamily": "scanner", "description": "The remote qpopper server, according to its banner, is\n running version 4.0.3 or version 4.0.4. These versions\n are vulnerable to a buffer overflow if they are configured\n to allow the processing of a user", "modified": "2019-01-25T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010948", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010948", "title": "qpopper options buffer overflow", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: qpopper2.nasl 13293 2019-01-25 12:15:55Z cfischer $\n# Description: qpopper options buffer overflow\n#\n# Authors:\n# Thomas reinke <reinke@securityspace.com>\n# Changes by rd: description moved, bugfix\n#\n# Copyright:\n# Copyright (C) 2002 Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10948\");\n script_version(\"$Revision: 13293 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-01-25 13:15:55 +0100 (Fri, 25 Jan 2019) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(2811);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2001-1046\");\n script_name(\"qpopper options buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2002 Thomas Reinke\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"popserver_detect.nasl\");\n script_require_ports(\"Services/pop3\", 110, 995);\n script_mandatory_keys(\"pop3/qpopper/detected\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the latest version, or disable\n processing of user option files.\");\n\n script_tag(name:\"summary\", value:\"The remote qpopper server, according to its banner, is\n running version 4.0.3 or version 4.0.4. These versions\n are vulnerable to a buffer overflow if they are configured\n to allow the processing of a user's ~/.qpopper-options file.\");\n\n script_tag(name:\"impact\", value:\"A local user can cause a buffer overflow by setting the\n bulldir variable to something longer than 256 characters.\");\n\n script_tag(name:\"vuldetect\", value:\"This test could not confirm the existence of the problem - it relied on the banner being returned.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pop3_func.inc\");\n\nport = get_pop3_port(default:110);\nbanner = get_pop3_banner(port:port);\nif(!banner || \"Qpopper\" >!< banner)\n exit(0);\n\nif(ereg(pattern:\".*Qpopper.*version (4\\.0\\.[34]).*\", string:banner, icase:TRUE)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "## Vulnerability Description\nThis host is running the Qpopper POP3 mail server. This mail server is vulnerable to a buffer overflow attack in the user option file processing routines. A local user can create a malformed '.qpopper-options' file to execute arbitrary code on this host. A potential intruder can use this to gain root level privileges.\n## Solution Description\nThe vendor has released a patch that fixes this issue. Please upgrade to that latest version of Qpopper available from http://www.eudora.com/qpopper/.\n## Short Description\nThis host is running the Qpopper POP3 mail server. This mail server is vulnerable to a buffer overflow attack in the user option file processing routines. A local user can create a malformed '.qpopper-options' file to execute arbitrary code on this host. A potential intruder can use this to gain root level privileges.\n## References:\nISS X-Force ID: 6647\n[CVE-2001-1046](https://vulners.com/cve/CVE-2001-1046)\nBugtraq ID: 2811\n", "modified": "2001-04-20T00:00:00", "published": "2001-04-20T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:776", "id": "OSVDB:776", "title": "Qpopper Options File Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:07:39", "bulletinFamily": "scanner", "description": "The remote POP3 server might be vulnerable to a buffer overflow bug when it is issued at least one of these commands, with a too long argument :\n\n AUTH USER PASS\n\nIf confirmed, this problem might allow an attacker to execute arbitrary code on the remote system.", "modified": "2018-11-15T00:00:00", "id": "POP3_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10184", "published": "1999-06-22T00:00:00", "title": "Multiple Vendor POP3 Remote Overflows", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# This one script can and does test for numerous BugIDs and CVEs. Added reference\n# links to all posted vulnerabilities with boundary lengths less than\n# the currrent script value of 2048.\n# All of these posted in the Bugtraq Database appear vulnerable (not tested).\n# Links are current up to 11/16/2002\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10184);\n script_version(\"1.56\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-1999-0822\", \"CVE-2000-0091\", \"CVE-2001-0776\", \"CVE-2001-1046\", \"CVE-2002-0454\", \"CVE-2002-0799\", \"CVE-2002-1781\");\n script_bugtraq_id(2781, 2811, 4055, 4295, 4789, 790, 830, 942);\n\n script_name(english:\"Multiple Vendor POP3 Remote Overflows\");\n script_summary(english:\"Attempts to overflow the in.pop3d buffers\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"Arbitrary code may be run on the remote server.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote POP3 server might be vulnerable to a buffer overflow bug\nwhen it is issued at least one of these commands, with a too long\nargument :\n\n AUTH USER PASS\n\nIf confirmed, this problem might allow an attacker to execute\narbitrary code on the remote system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"If you do not use POP3, disable this service. Otherwise, upgrade to a\nnewer version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"see_also\", value:\"http://web.archive.org/web/20030217185907/http://online.securityfocus.com:80/archive/1/27197\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"1999/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"1999/06/22\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gain a shell remotely\");\n\n script_dependencie(\"find_service1.nasl\", \"qpopper.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/pop3\", 110);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nto = get_read_timeout();\n\nport = get_service(svc: \"pop3\", default: 110, exit_on_fail: 1);\nfake = get_kb_item(\"pop3/\"+port+\"/false_pop3\");\nif(fake)exit(0);\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n d = recv_line(socket:soc, length:1024);\n if (!d || d !~ '^\\\\+OK') { close(soc); exit(0); }\t# Not a POP3 server\n if ( egrep(pattern:\"Qpopper.*4\", string:d) ) exit(0);\n\n c = strcat('AUTH ', crap(2048), '\\r\\n');\n send(socket:soc, data:c);\n d = recv_line(socket:soc, length:1024, timeout: 3*to);\n if(!d)security_hole(port);\n else {\n\tif ( \"-ERR Input buffer full, aborting\" >< d ) exit(0, \"Dovecot - not vulnerable\");\n \tc = strcat('USER ', crap(1024), '\\r\\n');\n\tsend(socket:soc, data:c);\n\td = recv_line(socket:soc, length:1024, timeout: 3*to);\n\tif(!d)security_hole(port);\n\telse\n\t{\n\t if ( \"-ERR Input buffer full, aborting\" >< d ) exit(0, \"Dovecot - not vulnerable\");\n\t c = strcat('PASS ', crap(1024), '\\r\\n');\n\t send(socket:soc, data:c);\n\t d = recv_line(socket:soc, length:1024, timeout: 3*to);\n\t if(!d)security_hole(port);\n\t}\n }\n close(soc);\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
