CVE-2008-1358
published 2008-03-17CVE-2008-1358: Stack-based buffer overflow in the IMAP server in Alt-N Technologies MDaemon 9.6.4 allows remote authenticated users to execute arbitrary code via a FETCH…
PriorityP354medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
57.07%
98.9th percentile
Stack-based buffer overflow in the IMAP server in Alt-N Technologies MDaemon 9.6.4 allows remote authenticated users to execute arbitrary code via a FETCH command with a long BODY.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| altn | mdaemon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x8b\x11\xdc\x64
bytes↗
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78
- →Detect exploitation attempts by monitoring IMAP FETCH commands with anomalously long BODY[] arguments (SEH overwrite occurs at 532 bytes; exploit sends 528 'A' bytes + SEH overwrite + NOP sled + shellcode). ↗
- →Banner-check: vulnerable MDaemon IMAP servers respond with the string 'IMAP4rev1 MDaemon 9.6.4 ready' — use this for version fingerprinting and asset identification. ↗
- →The SEH overwrite uses a pop/pop/ret gadget from HashCash.dll (address 0x64dc118b). Presence of this return address in network traffic or memory is a strong exploit indicator. ↗
- →The bind-shell payload listens on TCP port 4444; monitor for unexpected outbound connections or new listeners on port 4444 on MDaemon server hosts post-exploitation. ↗
- →Payload bad characters for this exploit are null byte, newline, ']', and ')' — any IMAP FETCH BODY[] argument containing these characters is likely not this exploit, but their absence in a long buffer is suspicious. ↗
- ·Exploitation requires valid (post-authentication) IMAP credentials — unauthenticated scanning alone is insufficient to trigger the vulnerability. ↗
- ·The exploit requires at least one message to exist in the Inbox (or appends one via IMAP APPEND) before sending the malicious FETCH — detection rules should account for the APPEND step as a precursor. ↗
- ·The SEH overwrite gadget address (0x64dc118b) is specific to HashCash.dll as shipped with MDaemon 9.6.4; different builds or patched versions will have a different address, so this exact byte sequence is version-specific. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alt-N MDaemon 9.6.4 - IMAPD FETCH Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2008-1358 Alt-N MDaemon 9.6.4 - IMAPD FETCH Buffer Overflow (Metasploit)
Alt-N MDaemon 9.6.4 - IMAPD FETCH Buffer Overflow (Metasploit)
---
##
# $Id: mdaemon_fetch.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MDaemon 9.6.4 IMAPD FETCH Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server
version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP
account credentials are required. Credit to Matteo Memelli
},
'Author' => [ 'Jacopo Cervini', 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision
Exploit-DB
Alt-N MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow
exploitdb·2008-03-13
CVE-2008-1358 Alt-N MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow
Alt-N MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow
---
#!/usr/bin/python
###############################################################################
#
# MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day
# Bug discovered and coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : MDaemon IMAP server v9.6.4
# Tested on OS : Windows 2000 SP4 English
# Windows XP Sp2 English
# Windows 2003 Standard Edition Italian
# Discovery Date : 03/13/2008
#
#-----------------------------------------------------------------------------
#
# muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL
#
# Thx to Silvia for feeding my obsessions
# Thx to didNot at #offsec
# (yes he doesn't look like Silvia but he's a
Metasploit
MDaemon 9.6.4 IMAPD FETCH Buffer Overflow
metasploit
MDaemon 9.6.4 IMAPD FETCH Buffer Overflow
MDaemon 9.6.4 IMAPD FETCH Buffer Overflow
This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP account credentials are required. Credit to Matteo Memelli
No writeups or analysis indexed.
http://files.altn.com/MDaemon/Release/RelNotes_en.txthttp://secunia.com/advisories/29382http://www.be4mind.com/?q=node/256http://www.securityfocus.com/bid/28245http://www.securitytracker.com/id?1019615http://www.vupen.com/english/advisories/2008/0877/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41195https://www.exploit-db.com/exploits/5248http://files.altn.com/MDaemon/Release/RelNotes_en.txthttp://secunia.com/advisories/29382http://www.be4mind.com/?q=node/256http://www.securityfocus.com/bid/28245http://www.securitytracker.com/id?1019615http://www.vupen.com/english/advisories/2008/0877/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41195https://www.exploit-db.com/exploits/5248
2008-03-17
Published