CVE-2004-1520
published 2004-12-31CVE-2004-1520: Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command.
PriorityP351medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
88.51%
99.8th percentile
Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | imail | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x74\x32\x75\x30
bytes↗
\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59
bytes↗
\xe9\x05\xfd\xff\xff
bytes↗
w00tw00t
- →Detect oversized IMAP DELETE command arguments — the exploit sends 236+ bytes of padding followed by shellcode in the DELETE argument, far exceeding any legitimate mailbox name length. ↗
- →Detect IMAP DELETE commands where the argument contains only alphanumeric characters of excessive length (BadChars excludes non-alphanumeric), which is characteristic of the alphanumeric-encoded payload used against IMail 8.13. ↗
- →Detect IMAP AUTHENTICATE CRAM-MD5 responses containing a base64-encoded blob beginning with 'AAAA' followed by a large payload — characteristic of the MDaemon CRAM-MD5 overflow exploit. ↗
- →Detect IMAP sessions where a LOGOUT command is sent immediately after a failed/oversized AUTHENTICATE CRAM-MD5 exchange — the exploit deliberately sends LOGOUT to close the thread and trigger the exception. ↗
- →The vulnerability affects IPSwitch IMail versions up to and including 8.13; version 8.14 contains the patch. Alert on IMAP service banners advertising IMail 8.13 or earlier. ↗
- ·Exploitation requires valid authenticated credentials — unauthenticated scanning/detection is insufficient; monitor authenticated IMAP sessions for anomalous DELETE argument lengths. ↗
- ·The IMail DELETE exploit payload is constrained to printable ASCII characters (0x20–0x7e), so byte-level detection rules must account for alphanumeric-only encoded shellcode rather than high-entropy binary payloads. ↗
- ·The return address 0x77364650 (comctl32.dll) is specific to Windows XP SP0; detections or mitigations tied to this address will not apply to other OS/patch-level targets. ↗
- ·The MDaemon CRAM-MD5 overflow (also tagged CVE-2004-1520 in the Metasploit module) is a distinct attack vector from the IMail DELETE overflow; separate detection logic is needed for each service. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IPSwitch IMail IMAP4D - Delete Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-1520 IPSwitch IMail IMAP4D - Delete Overflow (Metasploit)
IPSwitch IMail IMAP4D - Delete Overflow (Metasploit)
---
##
# $Id: imail_delete.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IMail IMAP4D Delete Overflow',
'Description' => %q{
This module exploits a buffer overflow in the 'DELETE'
command of the the IMail IMAP4D service. This vulnerability
can only be exploited with a valid username and password.
This flaw was patched in version 8.14.
},
'Author' => [ 'spoonm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE',
Exploit-DB
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
exploitdb·2005-08-12
CVE-2004-1520 MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
---
##
# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
'Description' => %q{
This module exploits a buffer overflow in the CRAM-MD5
authentication of the MDaemon IMAP service. This
vulnerability was discovered by Muts.
},
'Author' => [ 'anonymous' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2004-1520'],
[ 'OSVDB', '
Exploit-DB
IPSwitch IMail 8.13 - 'DELETE' Remote Stack Overflow
exploitdb·2004-11-12
CVE-2004-1520 IPSwitch IMail 8.13 - 'DELETE' Remote Stack Overflow
IPSwitch IMail 8.13 - 'DELETE' Remote Stack Overflow
---
#!/usr/bin/perl -w
###################################
#
# IPSwitch-IMail-8.13-DELETE
#
# Discovered by : Muts
# Coded by : Zatlander
# WWW.WHITEHAT.CO.IL
#
##################################
#
# Plain vanilla stack overflow in the DELETE command
# Restrictions:
# - Need valid authentication credentials
# - Input buffer only allows characters between x20 -> x7e
#
# Credits:
# - http://www.metasploit.org - HD Moore for the metasploit shellcode
# - http://www.edup.tudelft.nl/~bjwever/menu.html - skylined for the ALPHA ascii shellcode generator
# - http://www.hick.org - for the syscall egghunt code in the paper "Understanding Windows Shellcode"
#
##################################
use IO::Socket;
use Getopt::Std;
use Mail::IMAPClient
Metasploit
IMail IMAP4D Delete Overflow
metasploit
IMail IMAP4D Delete Overflow
IMail IMAP4D Delete Overflow
This module exploits a buffer overflow in the 'DELETE' command of the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14.
Metasploit
Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow
metasploit
Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow
Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow
This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110037283803560&w=2http://secunia.com/advisories/13200http://www.securityfocus.com/bid/11675https://exchange.xforce.ibmcloud.com/vulnerabilities/18058http://marc.info/?l=bugtraq&m=110037283803560&w=2http://secunia.com/advisories/13200http://www.securityfocus.com/bid/11675https://exchange.xforce.ibmcloud.com/vulnerabilities/18058
2004-12-31
Published