CVE-2005-1256
published 2005-05-25CVE-2005-1256: Stack-based buffer overflow in the IMAP daemon (IMAPD32.EXE) in IMail 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2…
PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
58.90%
99.0th percentile
Stack-based buffer overflow in the IMAP daemon (IMAPD32.EXE) in IMail 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allows remote authenticated users to execute arbitrary code via a STATUS command with a long mailbox name.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | imail | — | — |
| ipswitch | imail_server | <= 8.2_hotfix_2 | — |
Detection & IOCsextracted from sources · hover to see the quote
port143
filenameIMAPD32.EXE
commandSTATUS <mailbox_name_100+_chars>
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3; metadata:created_at 2010_09_23, cve CVE_2005_1256, confidence Medium, signature_severity Minor, updated_at 2019_07_26;)- →Detect IMAP STATUS commands where the mailbox name argument exceeds 100 characters on TCP port 143 — this is the overflow trigger condition.
- →The attack requires an established, authenticated TCP session to the IMAP server (port 143); pre-authentication filtering is insufficient — monitor post-login traffic.
- →Target process to monitor for anomalous behaviour or crashes is IMAPD32.EXE (the Ipswitch IMail IMAP daemon). ↗
- ·The Snort rule uses 'isdataat:100,relative' after matching 'STATUS', meaning it only fires when at least 100 bytes follow the keyword — tune threshold if false positives arise from legitimate long mailbox names.
- ·The rule targets all versions before IMail Server 8.2 Hotfix 2; ensure patched hosts are excluded from alerting scope to reduce noise. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL IMAP status overflow attempt
suricata·2010-09-23
CVE-2005-1256 GPL IMAP status overflow attempt
GPL IMAP status overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3; metadata:created_at 2010_09_23, cve CVE_2005_1256, confidence Medium, signature_severity Minor, updated_at 2019_07_26;)
No public exploits indexed.
No writeups or analysis indexed.
http://securitytracker.com/id?1014047http://www.idefense.com/application/poi/display?id=244&type=vulnerabilitieshttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.htmlhttp://www.securityfocus.com/bid/13727http://securitytracker.com/id?1014047http://www.idefense.com/application/poi/display?id=244&type=vulnerabilitieshttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.htmlhttp://www.securityfocus.com/bid/13727
2005-05-25
Published