POP2/POP3 server predictable lock file names denial of service
| pop-predictable-lockfile (4335) |  Low Risk |
Description:
Various POP2/POP3 servers, such as the imap-uw package developed by the University of Washington and qpopper, create lock files with predictable names. The algorithm used to lock mailbox files could allow an unauthorized local user to lock mailboxes of other users.
Platforms Affected:
- FreeBSD, FreeBSD 4.0
- Qualcomm, Qpopper 2.53
- Qualcomm, Qpopper 3.0
- RedHat, Linux 6.1
- RedHat, Linux 6.2
- University of Washington, imap 4.5
Remedy:
No remedy available as of November 15, 2008.
Consequences:
Denial of Service
References:
- BugTraq Mailing List, Thu Apr 20 2000 - 11:23:28 CDT, pop3 at http://archives.neohapsis.com/archives/bugtraq/2000-04/0151.html.
- BugTraq Mailing List, Wed Apr 19 2000 - 19:54:04 CDT, pop3d/imap DOS (while we're on the subject) at http://archives.neohapsis.com/archives/bugtraq/2000-04/0128.html.
- FreeBSD Security Advisory FreeBSD-SA-00:15, imap-uw allows local users to deny service to any mailbox at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:15.imap-uw.asc.
- BID-1132: Multiple Vendor popd Lock File Denial of Service Vulnerability
- CVE-2000-1197: POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes.
- CVE-2000-1198: qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes.
Reported:
Apr 24, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net