cbcvebase.
CVE-2000-0284
published 2000-04-16

CVE-2000-0284: Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.

PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.48%
99.3th percentile
Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
university_of_washingtonimap

Detection & IOCsextracted from sources · hover to see the quote

port143
commanda002 LSUB "" {1064}
command1 LSUB "" {1064}
commandsprintf(buf,"1 LOGIN %s %s\r\n1 LSUB \"\" {1064}\r\n",argv[2],argv[3]);
versionIMAP4rev1 v12.264
path/var/spool/mail
bytes
\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
bytes
\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd\x5f\xc6\x45\xde\x5f
  • Detect IMAP LSUB command with a literal argument of 1064 bytes ({1064}), which is the exact overflow trigger size used by all known exploits for CVE-2000-0284.
  • Flag IMAP sessions where an LSUB, LIST, COPY, RENAME, or FIND command is followed immediately by a large literal (>= 1064 bytes) — all these commands are confirmed overflow vectors.
  • Alert on IMAP banner matching 'IMAP4rev1 v12.264' or 'IMAP4rev1 v12.261' or '2000.284' — these are the confirmed vulnerable versions.
  • Monitor for NOP sled patterns (0x90 repeated) followed by shellcode in IMAP literal data streams on port 143, consistent with stack-based buffer overflow exploitation.
  • Detect IMAP PARTIAL command with an oversized BODY argument containing non-printable/binary data — used as an alternative overflow vector in the TESO exploit.
  • Exploitation requires valid IMAP credentials; correlate successful LOGIN events immediately followed by anomalous LSUB/LIST/COPY/RENAME/FIND commands with large literals as a high-fidelity detection pattern.
  • ·Exploitation requires a valid account on the target system; unauthenticated remote exploitation is not possible. Detection rules should account for the mandatory LOGIN step before the malicious command.
  • ·The Metasploit bruteforce target uses a return address range (0xbffffdfc to 0xbfa00000, step 200), meaning exploit traffic may appear as many repeated LSUB connections with slightly varying payloads rather than a single attempt.
  • ·Bad characters excluded from payload differ between exploit variants: the original Metasploit module excludes \x00\x0a\x0d, while the updated version also excludes \x2f (forward slash). Signature-based detection must account for both payload encodings.
  • ·Privileges are dropped in imapd before the vulnerable code path is reached, so successful exploitation yields only the privilege level of the authenticated user, not root.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.