CVE-2007-3925
published 2007-07-21CVE-2007-3925: Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitch IMail Server 2006 before 2006.21 allow remote authenticated users to execute arbitrary…
PriorityP359medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
84.67%
99.7th percentile
Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitch IMail Server 2006 before 2006.21 allow remote authenticated users to execute arbitrary code via the (1) Search or (2) Search Charset command.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | imail_server | <= 2006.2 | — |
| ipswitch | ipswitch_collaboration_suite | <= 2006.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xb6\x78\xf8\x75
- →Detect oversized IMAP SEARCH command arguments on port 143; legitimate SEARCH arguments are short, while exploit payloads are hundreds of bytes long. ↗
- →The exploit requires at least one message in the mailbox to succeed; correlate failed SEARCH attempts with mailbox state. ↗
- →Monitor for bind-shell connections on port 1154 following IMAP SEARCH anomalies, as the public PoC shellcode binds a shell on that port. ↗
- →Known bad characters in exploit payload are 0x00, 0x0a, 0x0d, 0x20, 0x0b, 0x09, 0x0c; payloads will avoid these bytes, which can aid in distinguishing encoded shellcode from normal traffic. ↗
- →The Metasploit module prepends a stack-adjustment stub (\x81\xc4\xff\xef\xff\xff\x44) before the encoder; presence of this byte sequence in IMAP traffic is a strong indicator of exploitation. ↗
- ·Exploitation requires the targeted IMAP account to have at least one message in the mailbox; unauthenticated or empty-mailbox attempts will not trigger the overflow. ↗
- ·Exploitation requires valid IMAP credentials (remote authenticated users only); unauthenticated access cannot trigger the vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ipswitch IMail Server - IMAP SEARCH Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2007-3925 Ipswitch IMail Server - IMAP SEARCH Buffer Overflow (Metasploit)
Ipswitch IMail Server - IMAP SEARCH Buffer Overflow (Metasploit)
---
##
# $Id: ipswitch_search.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Ipswitch IMail IMAP SEARCH Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH
verb. By sending an overly long string, an attacker can overwrite the
buffer and control program execution.
In order for this module to be successful, the IMAP user must have at least one
message.
},
'Author' =>
Exploit-DB
IPSwitch IMail Server 2006 - SEARCH Remote Stack Overflow
exploitdb·2007-07-25
CVE-2007-3925 IPSwitch IMail Server 2006 - SEARCH Remote Stack Overflow
IPSwitch IMail Server 2006 - SEARCH Remote Stack Overflow
---
#!/use/bin/perl
#
# Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit
# Author: ZhenHan.Liu#ph4nt0m.org
# Date: 2007-07-25
# Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)
#
# Vuln Found by: Manuel Santamarina Suarez
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
#
# The Vuln code is here (imap4d32.exe version 6.8.8.1)
# 00418CCA |. 8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]
# 00418CD0 |. 0FBE11 |MOVSX EDX,BYTE PTR DS:[ECX]
# 00418CD3 |. 83FA 22 |CMP EDX,22
# 00418CD6 |. 75 2A |JNZ SHORT IMAP4D32.00418D02
# 00418CD8 |. 8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
# 00418CDE |. 50 |PUSH EAX ; /String
# 00418CDF |. FF15 84004300 |CALL DWORD PTR DS:[>; \lstrlenA
# 00418C
Metasploit
Ipswitch IMail IMAP SEARCH Buffer Overflow
metasploit
Ipswitch IMail IMAP SEARCH Buffer Overflow
Ipswitch IMail IMAP SEARCH Buffer Overflow
This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. In order for this module to be successful, the IMAP user must have at least one message.
No writeups or analysis indexed.
http://docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewReleasehttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563http://secunia.com/advisories/26123http://www.securityfocus.com/bid/24962http://www.securitytracker.com/id?1018419http://www.vupen.com/english/advisories/2007/2574https://exchange.xforce.ibmcloud.com/vulnerabilities/35496https://exchange.xforce.ibmcloud.com/vulnerabilities/35500http://docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewReleasehttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563http://secunia.com/advisories/26123http://www.securityfocus.com/bid/24962http://www.securitytracker.com/id?1018419http://www.vupen.com/english/advisories/2007/2574https://exchange.xforce.ibmcloud.com/vulnerabilities/35496https://exchange.xforce.ibmcloud.com/vulnerabilities/35500
2007-07-21
Published