cbcvebase.
CVE-2006-4364
published 2006-08-27

CVE-2006-4364: Multiple heap-based buffer overflows in the POP3 server in Alt-N Technologies MDaemon before 9.0.6 allow remote attackers to cause a denial of service (daemon…

PriorityP343medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
54.62%
98.9th percentile
Multiple heap-based buffer overflows in the POP3 server in Alt-N Technologies MDaemon before 9.0.6 allow remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via long strings that contain '@' characters in the (1) USER and (2) APOP commands.

Affected

44 ranges· showing 25
VendorProductVersion rangeFixed in
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon

Detection & IOCsextracted from sources · hover to see the quote

port110
commandUSER @A x 160
commandUSER @[email protected] (326 B's) - heap overflow trigger via USER command with @ characters
commandUSER 'A x 337 - heap overflow trigger via USER command
commandUSER @A * 1600 + shellcode - remote code execution payload via POP3 USER command
commandUSER @A@A + buffer - heap overflow trigger via USER command
otherRET address: 0x7c2f62b6 (advapi.dll JMP ESI+48 Win2k SP4)
otherUEH address: 0x7C54144C (SetUnhandledExceptionFilter Win2k SP4)
bytes
egghunter: \xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3
bytes
egg tag: \x90\x90\x74\x30\x30\x77\x74\x30\x30\x77 (t00wt00w)
  • Detect heap overflow attempts against MDaemon POP3 server via USER command containing repeated '@' characters — a long USER argument with '@' is the primary attack signature for CVE-2006-4364.
  • Alert on POP3 USER commands exceeding normal length thresholds (e.g., >160 repetitions of '@A') on TCP port 110 targeting MDaemon.
  • Detect the egghunter tag 't00wt00w' (bytes \x74\x30\x30\x77\x74\x30\x30\x77) in POP3 USER command payloads as an indicator of the exploit shellcode stage.
  • Monitor for bind-shell connections on port 4444 originating from the MDaemon process following exploitation.
  • Repeated rapid TCP connections to port 110 in a loop (e.g., 5+ connections in quick succession) sending oversized USER commands may indicate exploit looping behavior.
  • ·The RET and UEH gadget addresses are specific to Windows 2000 SP4 with no patches applied; these hardcoded addresses will not work on other OS versions or patch levels.
  • ·The exploit targets MDaemon versions prior to 9.0.6; systems running 9.0.6 or later are not vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.