CVE-2005-2878
published 2005-09-13CVE-2005-2878: Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string…
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.57%
96.2th percentile
Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mailutils | < mailutils 1:0.6.90-3 (bookworm) | mailutils 1:0.6.90-3 (bookworm) |
| gnu | mailutils | — | — |
| gnu | mailutils | >= 0 < 1:0.6.90-3 | 1:0.6.90-3 |
| gnu | mailutils | >= 0 < 1:0.6.90-3 | 1:0.6.90-3 |
| gnu | mailutils | >= 0 < 1:0.6.90-3 | 1:0.6.90-3 |
| gnu | mailutils | >= 0 < 1:0.6.90-3 | 1:0.6.90-3 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80
bytes↗
\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80
- →Detect IMAP SEARCH commands containing printf-style format specifiers (e.g., %d$x, %hn, %.Nx) in the search criteria — this is the direct exploitation vector in search.c ↗
- →Monitor IMAP traffic on port 143 for SEARCH TOPIC commands containing sequences matching %[0-9]+\$[xhn] or %.[0-9]+x patterns, indicative of format string exploitation attempts ↗
- →Alert on imap4d processes spawning unexpected child processes (e.g., xterm, /bin/sh, nc) or making outbound connections — post-exploitation indicator for this format string RCE ↗
- →Watch for IMAP LIST commands with oversized payloads (~1024 bytes padded with 0x41) followed by embedded shellcode — used to stage shellcode in imap4d rwx address space before triggering the format string ↗
- →Detect new listening ports 30464 or 5074 opened by imap4d or its child processes — these are the bind-shell ports used by the exploit payloads ↗
- →Brute-force offset discovery pattern: repeated SEARCH TOPIC commands with incrementing numeric format string offsets (e.g., %1$x, %2$x … %N$x) looking for 0x41414141 in the response — indicates active exploitation reconnaissance ↗
- ·Exploit hardcoded addresses (DTOR_END_ADDR, got_entry, IO_file_close, addr) are OS/build-specific; detections based on these exact values will only match the specific target configurations used in the published PoCs (Fedora Core 6, FreeBSD, Debian etch) ↗
- ·Exploitation requires prior authentication (remote authenticated users); unauthenticated SEARCH commands cannot trigger this vulnerability ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2005-2878: mailutils - Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0....
vendor_debian·2005·CVSS 7.5
CVE-2005-2878 [HIGH] CVE-2005-2878: mailutils - Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0....
Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.
Scope: local
bookworm: resolved (fixed in 1:0.6.90-3)
bullseye: resolved (fixed in 1:0.6.90-3)
forky: resolved (fixed in 1:0.6.90-3)
sid: resolved (fixed in 1:0.6.90-3)
trixie: resolved (fixed in 1:0.6.90-3)
GHSA
GHSA-6mvq-9mv3-ppcp: Format string vulnerability in search
ghsa_unreviewed·2022-05-01
CVE-2005-2878 [HIGH] GHSA-6mvq-9mv3-ppcp: Format string vulnerability in search
Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.
OSV
CVE-2005-2878: Format string vulnerability in search
osv·2005-09-13·CVSS 7.5
CVE-2005-2878 [HIGH] CVE-2005-2878: Format string vulnerability in search
Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.
No detection rules found.
Exploit-DB
GNU Mailutils imap4d 0.6 - exec-shield Remote Format String
exploitdb·2007-04-24
CVE-2005-2878 GNU Mailutils imap4d 0.6 - exec-shield Remote Format String
GNU Mailutils imap4d 0.6 - exec-shield Remote Format String
---
/*
**
** Fedora Core 6 (exec-shield) based
** GNU imap4d mailutils-0.6 search remote format string exploit
** by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: https://www.securityfocus.com/bid/14794 (2005/09/09)
** http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=303
**
** --
** exploit by "you dong-hun"(Xpl017Elz), .
** My World: http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** This vulnerability is one of the normal exploitation case under exec-shield.
** GNU imap4d can be run as a standalone deamon by using -d option and it inherits
** virtual addres
Exploit-DB
GNU Mailutils imap4d 0.6 (FreeBSD) - 'Search' Remote Format String
exploitdb·2005-09-26
CVE-2005-2878 GNU Mailutils imap4d 0.6 (FreeBSD) - 'Search' Remote Format String
GNU Mailutils imap4d 0.6 (FreeBSD) - 'Search' Remote Format String
---
/*
* Copyright (c) 2005 Rosiello Security
* http://www.rosiello.org
*
* Permission is granted for the redistribution of this software
* electronically. It may not be edited in any way without the express
* written consent of Rosiello Security.
*
* Disclaimer: The author published the information under the condition
* that is not in the intention of the reader to use them in order to bring
* to himself or others a profit or to bring to others damage.
*
* --------------------------------------------------------------------------
*
* GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability
* iDEFENSE Security Advisory 09.09.05
* www.idefense.com/application/poi/display?id=303&type=vulnerabilities
*
* The GNU mailuti
Exploit-DB
GNU Mailutils imap4d 0.6 - 'Search' Remote Format String
exploitdb·2005-09-10
CVE-2005-2878 GNU Mailutils imap4d 0.6 - 'Search' Remote Format String
GNU Mailutils imap4d 0.6 - 'Search' Remote Format String
---
/*
* GNU Mailutils 0.6 imap4d 'search' format string exploit.
* Ref: www.idefense.com/application/poi/display?id=303&type=vulnerabilities
*
* This silly exploit uses hardcoded values taken from GNU/Debian testing (etch).
*
* $ ./imap4d_search_expl -h 127.0.0.1 -p 143 -u clem1 -s PROUT
* [+] GNU Mailutils 0.6 imap4d 'search' format string exploit.
* [+] By clem1.
* [+] connecting to: 127.0.0.1:143
* [+] authentification: completed.
* [+] format string: sended
* [+] shellcode sended.
* [+] Bingo.
*
* id;
* uid=1000(clem1) gid=1002(mail) groups=0(root)
*
* Copyright (C) 2005 Clement Lecigne - clem1 @ badcode.info.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struc
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=112785181316043&w=2http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407http://secunia.com/advisories/16783http://secunia.com/advisories/17020http://www.debian.org/security/2005/dsa-841http://www.gentoo.org/security/en/glsa/glsa-200509-10.xmlhttp://www.idefense.com/application/poi/display?id=303&type=vulnerabilities&flashstatus=truehttp://www.rosiello.org/archivio/imap4d_FreeBSD_exploit.chttp://www.securityfocus.com/bid/14794http://marc.info/?l=bugtraq&m=112785181316043&w=2http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407http://secunia.com/advisories/16783http://secunia.com/advisories/17020http://www.debian.org/security/2005/dsa-841http://www.gentoo.org/security/en/glsa/glsa-200509-10.xmlhttp://www.idefense.com/application/poi/display?id=303&type=vulnerabilities&flashstatus=truehttp://www.rosiello.org/archivio/imap4d_FreeBSD_exploit.chttp://www.securityfocus.com/bid/14794
2005-09-13
Published