Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The severity level in any given instance is indicated by the colored dot preceding the link to this tutorial.
POP (Post Office Protocol) was designed to support offline mail processing. That is, the client connects to the server to download mail that the server is holding for the client. The mail is deleted from the server and is handled offline (locally) on the client machine.
Vulnerable versions of POP include University of Washington ipop2 versions prior to 2.3(32) and ipop3 version 3.3(27) or older, QPOP versions 2.5 or older and beta versions 3.0b20 or older, and others. Unrelated but similar vulnerabilities affect QVT/Net popd 4.20 (part of QVT/Net 5.0 suite) and earlier and Mercury MTA for Netware, running Mercury prior to 1.48 or Netware prior to 4.11. See the advisories listed at the bottom of this tutorial for a complete list of vulnerable POP servers.
CVE 2000-0442
A more recent vulnerability has been discovered which affects QPOP versions
2.53 and older. The euidl command does not properly validate user input. This
command could be used with a specially crafted e-mail message to gain shell
access to the server with privileges of the mail group. A valid account name
and password would be required to exploit this vulnerability.
Until you can take one of the above actions, temporarily disable the POP service. On many systems, you will need to edit the /etc/inetd.conf file. However, you should check your vendor's documentation because systems vary in file location and the exact changes required (for example, sending the inetd process a HUP signal or killing and restarting the daemon). If you are not able to temporarily disable the POP service, then you should at least limit access to the vulnerable services to machines in your local network. This can be done by installing TCP wrappers, not only for logging but also for access control. Note: Even with access control via TCP wrappers, you are still vulnerable to attacks from hosts that are allowed to connect to the vulnerable POP service.