CVE-2007-3927
published 2007-07-21CVE-2007-3927: Multiple buffer overflows in Ipswitch IMail Server 2006 before 2006.21 (1) allow remote attackers to execute arbitrary code via unspecified vectors in Imailsec…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
21.89%
97.3th percentile
Multiple buffer overflows in Ipswitch IMail Server 2006 before 2006.21 (1) allow remote attackers to execute arbitrary code via unspecified vectors in Imailsec and (2) allow attackers to have an unknown impact via an unspecified vector related to "subscribe."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | imail_server | <= 2006.2 | — |
| ipswitch | ipswitch_collaboration_suite | <= 2006.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
command3 SUBSCRIBE "#IMAILPUB<NOP sled><shellcode>\x90\x90\xeb\x06<opcode>\x90\x90\x90\x90\xE9\x44\xfd\xff\xff<NOP tail>"↗
bytes↗
\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x41\xd1\xfd\xbc
bytes↗
\x60\x1A\x9C\x76
- →Exploit targets IMAP SUBSCRIBE command with an oversized mailbox name argument beginning with the literal string '#IMAILPUB' followed by a large NOP sled (~264991 bytes) and shellcode; detect abnormally large IMAP SUBSCRIBE requests on port 143. ↗
- →Shellcode opens a bind shell on TCP port 22 (win32_bind LPORT=22); post-exploitation, watch for unexpected LISTENING state on port 22 on Windows IMail servers. ↗
- →Affected process is imap4d32.exe version 6.8.8.1 on IMail Server 2006 (9.10); monitor this process for crashes or unexpected child process spawning. ↗
- ·Exploit requires a valid IMAP account credential on the target server; unauthenticated exploitation is not demonstrated. ↗
- ·The ROP/return opcode 0x769C1A60 is specific to Windows 2003 Chinese SP1; the exploit may not work or may need a different opcode on other Windows versions/locales. ↗
- ·CVE-2007-3927 covers two separate overflow vectors (Imailsec and subscribe); this exploit only demonstrates the SUBSCRIBE/IMAP vector. The Imailsec vector details remain unspecified. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewReleasehttp://osvdb.org/45818http://osvdb.org/45819http://secunia.com/advisories/26123http://www.securityfocus.com/bid/24962http://www.securitytracker.com/id?1018421http://www.vupen.com/english/advisories/2007/2574https://exchange.xforce.ibmcloud.com/vulnerabilities/35504https://exchange.xforce.ibmcloud.com/vulnerabilities/35505http://docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewReleasehttp://osvdb.org/45818http://osvdb.org/45819http://secunia.com/advisories/26123http://www.securityfocus.com/bid/24962http://www.securitytracker.com/id?1018421http://www.vupen.com/english/advisories/2007/2574https://exchange.xforce.ibmcloud.com/vulnerabilities/35504https://exchange.xforce.ibmcloud.com/vulnerabilities/35505
2007-07-21
Published