cbcvebase.
CVE-2007-5466
published 2007-10-15

CVE-2007-5466: Multiple buffer overflows in eXtremail 2.1.1 and earlier allow remote attackers to (1) have an unknown impact by sending multiple long strings to the IMAP port…

PriorityP258critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.89%
97.1th percentile
Multiple buffer overflows in eXtremail 2.1.1 and earlier allow remote attackers to (1) have an unknown impact by sending multiple long strings to the IMAP port (143/tcp); (2) execute arbitrary code via a long string in an IMAP AUTHENTICATE PLAIN action, involving the ifParseAuthPlain function; (3) execute arbitrary code via a long LOGIN command to the admin interface port (4501/tcp); or (4) execute arbitrary code via a long string in an IMAP AUTHENTICATE LOGIN (aka CRAM-MD5 authentication) action, involving the ifProcImapAuth1 function.

Affected

1 ranges
VendorProductVersion rangeFixed in
extremailextremail<= 2.1.1

Detection & IOCsextracted from sources · hover to see the quote

port143/tcp
port4501/tcp
port4444
command1 AUTHENTICATE PLAIN
commandLOGIN <buf> digit-labs.org
bytes
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
bytes
\x8b\x44\x24\x08\x40\xff\xe0
  • Detect exploitation of the IMAP AUTHENTICATE PLAIN overflow by monitoring for oversized base64-encoded payloads sent immediately after the '1 AUTHENTICATE PLAIN' command on port 143/tcp, targeting the ifParseAuthPlain function.
  • Detect exploitation of the IMAP AUTHENTICATE LOGIN (CRAM-MD5) overflow by monitoring for oversized responses to the authentication challenge on port 143/tcp, targeting the ifProcImapAuth1 function.
  • Detect exploitation of the admin interface overflow by monitoring for oversized LOGIN commands on port 4501/tcp; the exploit sends 'LOGIN <large_buf> digit-labs.org\n'.
  • After successful exploitation, the bind shellcode opens a listening shell on port 4444/tcp; monitor for unexpected inbound connections to port 4444 on eXtremail server hosts.
  • The Linux bind shellcode contains the byte sequence \x66\x68\x11\x5c which encodes port 4444 (0x115c) in the socket bind call; scan network captures for this shellcode signature on IMAP or admin port traffic.
  • The heap overflow PoC sends a payload starting with a null byte followed by 0x2710-1 NOP bytes, then repeats 0x2710-byte NOP blocks in a loop; detect abnormally large IMAP session data bursts on port 143/tcp.
  • ·The exploit targets two specific eXtremail versions with hardcoded return addresses; the fp value 0x08216357 is for version 2.1.1 and 0x08216377 is for version 2.1.0 (tar.gz builds). These addresses will not be valid for other builds or distributions.
  • ·The AUTHENTICATE PLAIN exploit uses a fixed buffer size of 256 bytes for the overflow payload; the admin LOGIN exploit uses a buffer size of 788 bytes. Detection thresholds should account for these sizes.
  • ·The return pointer for the admin LOGIN exploit (extremail-v4.c) is derived from 'objdump -D smtpd | grep "ff e4"', meaning the fp values are specific to the unmodified tar.gz distribution binaries of eXtremail 2.1.1 and 2.1.0.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.