CVE-2005-4267
published 2005-12-21CVE-2005-4267: Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a "}" character…
PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.80%
99.2th percentile
Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a "}" character, as demonstrated using long (1) LIST, (2) LSUB, (3) SEARCH TEXT, (4) STATUS INBOX, (5) AUTHENTICATE, (6) FETCH, (7) SELECT, and (8) COPY commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qualcomm | eudora_worldmail | — | — |
| qualcomm | worldmail | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b
bytes↗
\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b
- →The exploit targets the IMAP LIST command with an oversized argument; detect abnormally long IMAP LIST commands (overflow at ~970 bytes) sent to the WorldMail IMAPd service. ↗
- →The exploit requires NO authentication before sending the malicious LIST command; alert on IMAP LIST commands sent prior to any LOGIN/AUTHENTICATE exchange. ↗
- →The exploit payload uses a closing curly-brace '}' as a terminator appended to the oversized LIST argument; look for IMAP LIST commands containing '}' after a large buffer. ↗
- →The bad characters for the payload include null byte, LF, CR, space, and '{' (0x7b); the exploit avoids these in the IMAP LIST argument, which can help distinguish exploit traffic. ↗
- →Identify vulnerable WorldMail IMAP server versions by banner; versions 6.1.19.0 through 6.1.22.0 are vulnerable. ↗
- ·The WorldMail IMAPd service does NOT restart automatically after a crash; exploitation may be limited to a single attempt per service lifecycle. ↗
- ·Version 6.1.22.1 patches this vulnerability; only builds 6.1.19.0 through 6.1.22.0 are affected. ↗
- ·CVE-2006-0637 (IMAP APPEND vector via cram.dll) is a distinct vulnerability from CVE-2005-4267 (IMAP LIST vector); do not conflate detection signatures for the two. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9568-6gjg-jgm8: Stack-based buffer overflow in Qualcomm WorldMail 3
ghsa_unreviewed·2022-05-01
CVE-2005-4267 [HIGH] CWE-119 GHSA-9568-6gjg-jgm8: Stack-based buffer overflow in Qualcomm WorldMail 3
Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a "}" character, as demonstrated using long (1) LIST, (2) LSUB, (3) SEARCH TEXT, (4) STATUS INBOX, (5) AUTHENTICATE, (6) FETCH, (7) SELECT, and (8) COPY commands.
GHSA
GHSA-p489-2qgm-7765: Buffer overflow in cram
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-0637 [HIGH] GHSA-p489-2qgm-7765: Buffer overflow in cram
Buffer overflow in cram.dll in QUALCOMM Eudora WorldMail 3.0 allows remote attackers to execute arbitrary code via an IMAP APPEND command with a long message literal argument, as demonstrated by Worldmail.pl. NOTE: this is a different vector and a different manipulation than CVE-2005-4267, so it might be a different vulnerability than CVE-2005-4267.
No detection rules found.
Exploit-DB
Eudora Qualcomm WorldMail 3.0 - IMAPd 'LIST' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-01
CVE-2005-4267 Eudora Qualcomm WorldMail 3.0 - IMAPd 'LIST' Remote Buffer Overflow (Metasploit)
Eudora Qualcomm WorldMail 3.0 - IMAPd 'LIST' Remote Buffer Overflow (Metasploit)
---
##
# $Id: eudora_list.rb 9653 2010-07-01 23:33:07Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server
version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this
particular vulnerability.
NOTE: The service does NOT restart automatically by default. You may be limited to
only one a
Exploit-DB
Eudora Qualcomm WorldMail 3.0 - 'IMAPd' Remote Overflow
exploitdb·2005-12-20
CVE-2006-0637 Eudora Qualcomm WorldMail 3.0 - 'IMAPd' Remote Overflow
Eudora Qualcomm WorldMail 3.0 - 'IMAPd' Remote Overflow
---
#!/usr/bin/python
###################################################################################
#
# PRE AUTHENTICATION Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow.
#
# Discovered by Tim Shelton - [email protected]
#
# Coded by [email protected]
#
# Details:
# * SEH gets overwritten at 970 bytes in the LIST command.
# * No space for shellcode, so 1st stage shellcode is used to
# jump back 768 bytes into the bindshell (2nd stage) shellcode.
#
# Thanks:
# * My wife - for putting up with my obesssions
# FOR EDUCATION PURPOSES ONLY!
###################################################################################
# root@muts:/tmp# ./test.py 192.168.1.162
#
# Eudora Qualcomm WorldMail 3.0 IM
Metasploit
Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
metasploit
Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose wisely!
No writeups or analysis indexed.
http://seclists.org/lists/fulldisclosure/2005/Dec/1037.htmlhttp://secunia.com/advisories/17640http://securityreason.com/securityalert/277http://securitytracker.com/id?1015391http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359http://www.securityfocus.com/bid/15980http://www.vupen.com/english/advisories/2005/3005http://seclists.org/lists/fulldisclosure/2005/Dec/1037.htmlhttp://secunia.com/advisories/17640http://securityreason.com/securityalert/277http://securitytracker.com/id?1015391http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359http://www.securityfocus.com/bid/15980http://www.vupen.com/english/advisories/2005/3005
2005-12-21
Published