CVE-2000-0091

Vulnerability

A buffer overflow vulnerability exists in the vchkpw authentication module of the vpopmail package [1], which is used for POP3 authentication in virtual email hosting environments. The flaw is triggered when a remote attacker supplies an overly long username or password during the POP3 authentication process. The affected software is vpopmail, a GPL-licensed tool for managing virtual email domains on qmail or Postfix servers [1]. The CVE description does not specify an exact version range, but the vulnerability was publicly disclosed in January 2000.

Exploitation

An attacker can exploit this vulnerability remotely without prior authentication. By connecting to the POP3 service and sending a crafted authentication request containing a username or password that exceeds the expected buffer length, the attacker can overflow the stack or heap buffer. No special network position is required beyond access to the POP3 port (typically 110). The attack does not require user interaction or any special privileges.

Impact

Successful exploitation allows the attacker to execute arbitrary code with root privileges, as the vchkpw process typically runs with elevated permissions. This results in full compromise of the mail server, including the ability to read, modify, or delete any email, access other system resources, and potentially pivot to other hosts on the network.

Mitigation

The available reference [1] does not provide a specific fix version or workaround. Administrators should upgrade to a patched version of vpopmail if available; otherwise, restrict access to the POP3 service using firewall rules or TCP wrappers until a patch can be applied. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.