cbcvebase.
CVE-2005-4267
published 2005-12-21

CVE-2005-4267: Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a "}" character…

PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.80%
99.2th percentile
Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a "}" character, as demonstrated using long (1) LIST, (2) LSUB, (3) SEARCH TEXT, (4) STATUS INBOX, (5) AUTHENTICATE, (6) FETCH, (7) SELECT, and (8) COPY commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
qualcommeudora_worldmail
qualcommworldmail

Detection & IOCsextracted from sources · hover to see the quote

port4444
commanda001 LIST <overflow_buffer>
otherSEH overwrite return address: 0x77E1CCF7 (Win2k SP4 JMP EBX)
otherSEH overwrite return address: 0x600b6317 (p/p/r in MLstMgr.dll v6.1.19.0)
otherSEH overwrite return address: 0x10022187 (p/p/r in MsRemote.dll)
commanda001 LIST <rand_text_alphanumeric(20)><payload><SEH_record><nops+jmp+rand>}\r\n
bytes
\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b
bytes
\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b
  • The exploit targets the IMAP LIST command with an oversized argument; detect abnormally long IMAP LIST commands (overflow at ~970 bytes) sent to the WorldMail IMAPd service.
  • The exploit requires NO authentication before sending the malicious LIST command; alert on IMAP LIST commands sent prior to any LOGIN/AUTHENTICATE exchange.
  • The exploit payload uses a closing curly-brace '}' as a terminator appended to the oversized LIST argument; look for IMAP LIST commands containing '}' after a large buffer.
  • The bad characters for the payload include null byte, LF, CR, space, and '{' (0x7b); the exploit avoids these in the IMAP LIST argument, which can help distinguish exploit traffic.
  • Identify vulnerable WorldMail IMAP server versions by banner; versions 6.1.19.0 through 6.1.22.0 are vulnerable.
  • ·The WorldMail IMAPd service does NOT restart automatically after a crash; exploitation may be limited to a single attempt per service lifecycle.
  • ·Version 6.1.22.1 patches this vulnerability; only builds 6.1.19.0 through 6.1.22.0 are affected.
  • ·CVE-2006-0637 (IMAP APPEND vector via cram.dll) is a distinct vulnerability from CVE-2005-4267 (IMAP LIST vector); do not conflate detection signatures for the two.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.