cbcvebase.
CVE-2008-1358
published 2008-03-17

CVE-2008-1358: Stack-based buffer overflow in the IMAP server in Alt-N Technologies MDaemon 9.6.4 allows remote authenticated users to execute arbitrary code via a FETCH…

PriorityP354medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
57.07%
98.9th percentile
Stack-based buffer overflow in the IMAP server in Alt-N Technologies MDaemon 9.6.4 allows remote authenticated users to execute arbitrary code via a FETCH command with a long BODY.

Affected

1 ranges
VendorProductVersion rangeFixed in
altnmdaemon

Detection & IOCsextracted from sources · hover to see the quote

registry0x64dc118b
bytes
\x8b\x11\xdc\x64
bytes
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78
  • Detect exploitation attempts by monitoring IMAP FETCH commands with anomalously long BODY[] arguments (SEH overwrite occurs at 532 bytes; exploit sends 528 'A' bytes + SEH overwrite + NOP sled + shellcode).
  • Banner-check: vulnerable MDaemon IMAP servers respond with the string 'IMAP4rev1 MDaemon 9.6.4 ready' — use this for version fingerprinting and asset identification.
  • The SEH overwrite uses a pop/pop/ret gadget from HashCash.dll (address 0x64dc118b). Presence of this return address in network traffic or memory is a strong exploit indicator.
  • The bind-shell payload listens on TCP port 4444; monitor for unexpected outbound connections or new listeners on port 4444 on MDaemon server hosts post-exploitation.
  • Payload bad characters for this exploit are null byte, newline, ']', and ')' — any IMAP FETCH BODY[] argument containing these characters is likely not this exploit, but their absence in a long buffer is suspicious.
  • ·Exploitation requires valid (post-authentication) IMAP credentials — unauthenticated scanning alone is insufficient to trigger the vulnerability.
  • ·The exploit requires at least one message to exist in the Inbox (or appends one via IMAP APPEND) before sending the malicious FETCH — detection rules should account for the APPEND step as a precursor.
  • ·The SEH overwrite gadget address (0x64dc118b) is specific to HashCash.dll as shipped with MDaemon 9.6.4; different builds or patched versions will have a different address, so this exact byte sequence is version-specific.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.