cbcvebase.
CVE-2004-1520
published 2004-12-31

CVE-2004-1520: Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command.

PriorityP351medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
88.51%
99.8th percentile
Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command.

Affected

1 ranges
VendorProductVersion rangeFixed in
ipswitchimail

Detection & IOCsextracted from sources · hover to see the quote

commanda001 authenticate cram-md5
commandA683 DELETE <overflow payload>
other0x77364650
other0x6921526A
port4444
bytes
\x74\x32\x75\x30
bytes
\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59
bytes
\xe9\x05\xfd\xff\xff
bytes
w00tw00t
  • Detect oversized IMAP DELETE command arguments — the exploit sends 236+ bytes of padding followed by shellcode in the DELETE argument, far exceeding any legitimate mailbox name length.
  • Detect IMAP DELETE commands where the argument contains only alphanumeric characters of excessive length (BadChars excludes non-alphanumeric), which is characteristic of the alphanumeric-encoded payload used against IMail 8.13.
  • Detect IMAP AUTHENTICATE CRAM-MD5 responses containing a base64-encoded blob beginning with 'AAAA' followed by a large payload — characteristic of the MDaemon CRAM-MD5 overflow exploit.
  • Detect IMAP sessions where a LOGOUT command is sent immediately after a failed/oversized AUTHENTICATE CRAM-MD5 exchange — the exploit deliberately sends LOGOUT to close the thread and trigger the exception.
  • The vulnerability affects IPSwitch IMail versions up to and including 8.13; version 8.14 contains the patch. Alert on IMAP service banners advertising IMail 8.13 or earlier.
  • ·Exploitation requires valid authenticated credentials — unauthenticated scanning/detection is insufficient; monitor authenticated IMAP sessions for anomalous DELETE argument lengths.
  • ·The IMail DELETE exploit payload is constrained to printable ASCII characters (0x20–0x7e), so byte-level detection rules must account for alphanumeric-only encoded shellcode rather than high-entropy binary payloads.
  • ·The return address 0x77364650 (comctl32.dll) is specific to Windows XP SP0; detections or mitigations tied to this address will not apply to other OS/patch-level targets.
  • ·The MDaemon CRAM-MD5 overflow (also tagged CVE-2004-1520 in the Metasploit module) is a distinct attack vector from the IMail DELETE overflow; separate detection logic is needed for each service.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.