CVE-1999-0920
published 1999-05-26CVE-1999-0920: Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command.
PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
32.37%
98.1th percentile
Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| university_of_washington | imap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
- →Alert on POP2 (TCP/109) FOLD commands with arguments exceeding ~986–1000 bytes, indicative of stack-based buffer overflow exploitation against ipop2d. ↗
- →Monitor for the exploit's HELO sequence followed immediately by an oversized FOLD command on TCP/109 — the exploit sends HELO with host:user pass then FOLD with ~986-byte NOP-sled/shellcode buffer. ↗
- →Scan network traffic on TCP/109 for the Linux x86 shellcode byte sequence \xeb\x1f\x5e\x89\x76\x08\x31\xc0 associated with this exploit's execve(/bin/sh) payload. ↗
- →The Metasploit auxiliary module exploits the same FOLD command for arbitrary file retrieval; detect authenticated POP2 sessions issuing FOLD with path-like arguments (e.g., containing '/' characters) to retrieve world/group-readable files. ↗
- ·The file retrieval variant (Metasploit module) requires a valid username and password for the POP account; it cannot be exploited anonymously. ↗
- ·The stack return address used in the exploit (0xbffff3c0) is Linux x86-specific and may require offset tuning; the exploit accepts an offset argument to adjust. ↗
- ·Successful exploitation only yields 'nobody' user privileges, not root, due to the anonymous_login() uid drop in ipop2d. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
University of Washington pop2d 4.4 - Remote Buffer Overflow
exploitdb·1999-05-26
CVE-1999-0920 University of Washington pop2d 4.4 - Remote Buffer Overflow
University of Washington pop2d 4.4 - Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/283/info
A buffer overflow vulnerability in pop2d version 4.4 or earlier allow malicious remote users to obtain access to the "nobody" user account.
The pop2 and pop3 servers support the concept of an "anonymous proxy", whereby a remote user connecting to the server can instruct it to open an IMAP mailbox on some other saver they have a valid account on. In this state the pop2 server runs under the "nobody" user id.
Once logged on, issuing a FOLD command with an argument of about 1000 bytes will cause a stack based buffer overflow.
/*
* Sekure SDI (Brazilian Information Security Team)
* ipop2d remote exploit for linux (Jun, 02 1999)
*
* by c0nd0r
*
* (read the instructions bel
Metasploit
UoW pop2d Remote File Retrieval Vulnerability
metasploit
UoW pop2d Remote File Retrieval Vulnerability
UoW pop2d Remote File Retrieval Vulnerability
This module exploits a vulnerability in the FOLD command of the University of Washington ipop2d service. By specifying an arbitrary folder name it is possible to retrieve any file which is world or group readable by the user ID of the POP account. This vulnerability can only be exploited with a valid username and password. The From address is the file owner.
No writeups or analysis indexed.
1999-05-26
Published