cbcvebase.
CVE-2006-4379
published 2006-09-08

CVE-2006-4379: Stack-based buffer overflow in the SMTP Daemon in Ipswitch Collaboration 2006 Suite Premium and Standard Editions, IMail, IMail Plus, and IMail Secure allows…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.04%
99.0th percentile
Stack-based buffer overflow in the SMTP Daemon in Ipswitch Collaboration 2006 Suite Premium and Standard Editions, IMail, IMail Plus, and IMail Secure allows remote attackers to execute arbitrary code via a long string located after an '@' character and before a ':' character.

Affected

4 ranges
VendorProductVersion rangeFixed in
ipswitchimail_plus
ipswitchimail_secure_server
ipswitchipswitch_collaboration_suite
ipswitchipswitch_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

port4444
commandRCPT TO: <@[overflow]:
other0x10036f71 (pop ebp, ret - SMTPDLL.DLL IMail 8.x)
other0x100188c3 (pop eax, ret - SmtpDLL.dll IMail 8.10)
other0x100191c4 (pop eax, ret - SmtpDLL.dll IMail 8.12)
bytes
\x81\xc4\xff\xef\xff\xff\x44
bytes
\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58
bytes
\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93
  • Detect oversized RCPT TO commands where a long string appears between '@' and ':' characters — this is the specific trigger pattern for the stack overflow.
  • Alert on SMTP RCPT TO commands exceeding normal length bounds (>560 bytes) targeting port 25 on Ipswitch IMail servers.
  • Monitor for SMTP sessions that send EHLO, MAIL FROM, then a malformed RCPT TO with embedded null-free shellcode — the exploit sequence is EHLO → MAIL FROM → malicious RCPT TO.
  • Bad characters for payload encoding are \x00 \x0d \x0a \x20 \x3e \x22 \x40; absence of these bytes in a long RCPT TO argument is a strong indicator of encoded shellcode.
  • After successful exploitation, watch for a bind shell on TCP port 4444 on the victim IMail server.
  • The exploit targets SmtpDLL.dll / SMTPDLL.DLL ROP gadgets; monitor for abnormal return addresses into these DLLs (0x10036f71, 0x100188c3, 0x100191c4) in crash dumps or memory forensics.
  • ·The overflow is only triggered when the long string is positioned specifically after '@' and before ':' in the RCPT TO argument; generic SMTP length checks on the full command line may miss this if they do not parse the internal structure.
  • ·The exploit requires the payload to be free of restricted bytes (\x00 \x0d \x0a \x20 \x3e \x22 \x40); detection signatures based solely on these bytes will miss encoded payloads.
  • ·The ROP gadget addresses differ across IMail versions and Windows OS/SP combinations; a single return-address signature will not cover all exploit variants.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.