CVE-2006-5551
published 2006-10-26CVE-2006-5551: Stack-based buffer overflow in QK SMTP 3.01 and earlier might allow remote attackers to execute arbitrary code via a long argument to the RCPT TO command.
PriorityP340high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
5.06%
91.2th percentile
Stack-based buffer overflow in QK SMTP 3.01 and earlier might allow remote attackers to execute arbitrary code via a long argument to the RCPT TO command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qksoft | qk_smtp | <= 3.0.1 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-phxv-6mj6-69g6: QK SMTP Server 3 allows remote attackers to cause a denial of service (daemon crash) via a long (1) HELO, (2) MAIL FROM, or (3) RCPT TO command; or (4
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-6573 [HIGH] CWE-20 GHSA-phxv-6mj6-69g6: QK SMTP Server 3 allows remote attackers to cause a denial of service (daemon crash) via a long (1) HELO, (2) MAIL FROM, or (3) RCPT TO command; or (4
QK SMTP Server 3 allows remote attackers to cause a denial of service (daemon crash) via a long (1) HELO, (2) MAIL FROM, or (3) RCPT TO command; or (4) a long string in the message sent after the DATA command; possibly a related issue to CVE-2006-5551.
GHSA
GHSA-j7m7-hxw4-gvrp: Stack-based buffer overflow in QK SMTP 3
ghsa_unreviewed·2022-05-01
CVE-2006-5551 [HIGH] GHSA-j7m7-hxw4-gvrp: Stack-based buffer overflow in QK SMTP 3
Stack-based buffer overflow in QK SMTP 3.01 and earlier might allow remote attackers to execute arbitrary code via a long argument to the RCPT TO command.
No detection rules found.
Exploit-DB
QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)
exploitdb·2007-01-01
CVE-2006-5551 QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)
QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)
---
#!/bin/perl
#
#https://www.securityfocus.com/bid/20681
#
# tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "helo acaro" . "\r\n";
send $socket, $request, 0;
print "[+] Sent helo request\n";
recv($socket, $reply, 1024, 0);
Exploit-DB
QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (1)
exploitdb·2006-10-25
CVE-2006-5551 QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (1)
QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (1)
---
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ __|_ \
\/ \/ \/ \/ 25\10\06 \/ |__| \/ \/
* mm. dM8
* YMMMb. dMM8 _____________________________________
* YMMMMb dMMM' [ ]
* `YMMMb dMMMP [ There are doors I have yet to open ]
* `YMMM MMM' [ windows I have yet to look through ]
* "MbdMP [ Going forward may not be the answer ]
* .dMMMMMM.P [ ]
* dMM MMMMMM [ maybe I should go back ]
* 8MMMMMMMMMMI [_____________________________________]
* YMMMMMMMMM www.netbunny.org
* "MMMMMMP
* MxM .mmm
* W"W """
[i] Title: QK SMTP
#include
#include
#include
#include
#include
#include
// You may want to change this, is the user and the password of shellcode added user
#define NETADD_USER "x0n
Exploit-DB
QK SMTP 3.01 - 'RCPT TO' Remote Denial of Service
exploitdb·2006-10-23
CVE-2006-5551 QK SMTP 3.01 - 'RCPT TO' Remote Denial of Service
QK SMTP 3.01 - 'RCPT TO' Remote Denial of Service
---
/*
0-day RCPT TO DoS Exploit for QK SMTP version 3.01 and lower.
Exploit affects a format string error in the RCPT TO command
in which the program attempts to print out the string back
to the console screen of the application. (RCPT TO: %s)
This PoC code could possibly be re-written to allow buffer
overflow and execution of code. (I unfortanetly lack time at
the moment to continue any more reasarch and development)
EIP, EBP, ESI and EAX can be overwritten with buffer code
but the program formats it in Unicode. Results can be similar
to this:
Buffer = "A"
EIP = 00400040
EBP = 00400040
ESI = 00400040
QK SMTP 3.01 is available here:
http://www.qksoft.com/qk-smtp-server/download.html
and at various shareware download sites across the in
No writeups or analysis indexed.
http://secunia.com/advisories/22563http://securitytracker.com/id?1017114http://www.securityfocus.com/bid/20681http://www.vupen.com/english/advisories/2006/4169https://www.exploit-db.com/exploits/2625http://secunia.com/advisories/22563http://securitytracker.com/id?1017114http://www.securityfocus.com/bid/20681http://www.vupen.com/english/advisories/2006/4169https://www.exploit-db.com/exploits/2625
2006-10-26
Published