CVE-2005-2278
published 2005-07-18CVE-2005-2278: Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable Professional 1.54 allows remote authenticated users to execute arbitrary code via the…
PriorityP355high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
84.64%
99.7th percentile
Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable Professional 1.54 allows remote authenticated users to execute arbitrary code via the status command with a long mailbox name.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mailenable | mailenable_professional | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized IMAP STATUS command mailbox names — the exploit sends a STATUS request with a mailbox argument padded to 9273 bytes followed by a SEH overwrite payload. ↗
- →Look for a null byte (\x00) embedded inside the IMAP STATUS mailbox name argument, which is a key exploit artefact used to trigger the overflow. ↗
- →The exploit requires prior IMAP authentication; alert on authenticated IMAP sessions that subsequently issue an abnormally large STATUS command (>9000 bytes in the mailbox field). ↗
- →Bad characters excluded from payload are \x00, \x0a, \x0d, \x20 — any IMAP STATUS mailbox argument containing high-entropy alphanumeric data of ~9273 bytes without spaces/newlines is highly suspicious. ↗
- →Monitor for SEH-based shellcode execution originating from MEAISP.DLL at the known return address 0x1001c019 on MailEnable 1.54 Pro installations. ↗
- ·Exploit requires valid IMAP credentials before the STATUS overflow can be triggered; unauthenticated detection alone is insufficient. ↗
- ·Return addresses in the Metasploit module are OS-specific; the universal target uses MEAISP.DLL (0x1001c019) while XP SP0/SP1, Win2000, and Win2003 each have distinct hardcoded RET values — tune detection/blocking per target OS. ↗
- ·Payload space is constrained to 450 bytes with a stack adjustment of -3500; staged or large payloads will not fit without modification. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MailEnable IMAPD 1.54 - STATUS Request Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2005-2278 MailEnable IMAPD 1.54 - STATUS Request Buffer Overflow (Metasploit)
MailEnable IMAPD 1.54 - STATUS Request Buffer Overflow (Metasploit)
---
##
# $Id: mailenable_status.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MailEnable IMAPD (1.54) STATUS Request Buffer Overflow',
'Description' => %q{
MailEnable's IMAP server contains a buffer overflow
vulnerability in the STATUS command. With proper
credentials, this could allow for the execution of arbitrary
code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '20
Metasploit
MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
metasploit
MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
MailEnable's IMAP server contains a buffer overflow vulnerability in the STATUS command. With proper credentials, this could allow for the execution of arbitrary code.
No writeups or analysis indexed.
2005-07-18
Published