Linux distributions running old pop3d 1.00.4


    Following info  is based  on Corinne  Posse Security  Notice Issue
    Number 4.   Systems running OLD  versions of pop3d,  namely 1.00.4
    based versions  on the  "original" BSD  4.3 Virtual  VAX pop3d  by
    Katie Stevens  are vulnerable.  In addition,  it is  believed this
    includes  many  older  Linux  distributions,  as  many early Linux
    pop3ds  were  basnf   of  this  version.    It  is  unknow   which
    distributions would be  guilty of having  this daemon, or  at what
    point in time they stopped using it.  See:

    and follow following path:


    for  a  copy  of  the  source  code  that was examined to find the
    problem.   This  code  has  not  been  changed as of pop3d-1.005e,
    which was released January 19, 1997, and thus it still appears  to
    be vulnerable.  This  is the latest release  of the BSD 4.3  based

    The problem  lies in  the routine  used to  read in  the username.
    This  problem  is  exactly  like  the vulnerability SNI found with
    imapd, except a different software package and strangely  similar,
    yet different code.  A malicious user  can easily cause  arbitrary
    execution from the stack (as root, since most pop3 daemons run  as
    root) provided they have good  motivation and know what the  stack
    looks like.  The offending code follows:

    char cli_user[CLI_BUFSIZ];  /* CLI_BUFSIZE is a whole 128 characters! */
    char *inbuf

            if (strncmp(inbuf,"user",4) == 0) {
                    inbuf += 4;

    from  "main.c"  (around  line  155  of  main.c,  depending on your

    This vulnerability was found and released by Jonathan Katz.


    The  obvious  fix  is  to  upgrade  to pop3d software that is more
    recent/reliable, or to tinker with  the code yourself.  Check  for
    1.005f on: