Vulnerabilities > CVE-2000-0284 - Buffer Overflow vulnerability in University of Washington Imap 12.264
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description IMAP4rev1 12.261/12.264/2000.284 (lsub) Remote Exploit. CVE-2000-0284. Remote exploit for linux platform id EDB-ID:284 last seen 2016-01-31 modified 2001-03-03 published 2001-03-03 reporter SkyLaZarT source https://www.exploit-db.com/download/284/ title IMAP4rev1 12.261/12.264/2000.284 - lsub Remote Exploit description University of Washington imap LSUB Buffer Overflow. CVE-2000-0284. Remote exploit for linux platform id EDB-ID:10025 last seen 2016-02-01 modified 2000-04-16 published 2000-04-16 reporter patrick source https://www.exploit-db.com/download/10025/ title University of Washington - imap LSUB Buffer Overflow description WU-IMAP 2000.287(1-2) Remote Exploit. CVE-2000-0284. Remote exploit for linux platform id EDB-ID:397 last seen 2016-01-31 modified 2002-06-25 published 2002-06-25 reporter Teso source https://www.exploit-db.com/download/397/ title WU-IMAP 2000.2871-2 Remote Exploit description UoW imapd 10.234/12.264 COPY Buffer Overflow (meta). CVE-2000-0284. Remote exploit for unix platform id EDB-ID:19849 last seen 2016-02-02 modified 2000-04-16 published 2000-04-16 reporter vlad902 source https://www.exploit-db.com/download/19849/ title UoW imapd 10.234/12.264 COPY Buffer Overflow meta description UoW imapd 10.234/12.264 LSUB Buffer Overflow (meta). CVE-2000-0284. Remote exploit for unix platform id EDB-ID:19848 last seen 2016-02-02 modified 2000-04-16 published 2000-04-16 reporter vlad902 source https://www.exploit-db.com/download/19848/ title UoW imapd 10.234/12.264 LSUB Buffer Overflow meta description UoW IMAP server LSUB Buffer Overflow. CVE-2000-0284. Remote exploit for linux platform id EDB-ID:16846 last seen 2016-02-02 modified 2010-03-26 published 2010-03-26 reporter metasploit source https://www.exploit-db.com/download/16846/ title UoW IMAP server LSUB Buffer Overflow description UoW imapd 10.234/12.264 Buffer Overflow. CVE-2000-0284. Remote exploit for unix platform id EDB-ID:19847 last seen 2016-02-02 modified 2002-08-01 published 2002-08-01 reporter Gabriel A. Maggiotti source https://www.exploit-db.com/download/19847/ title UoW imapd 10.234/12.264 - Buffer Overflow Vulnerabilities description IMAP4rev1 10.190 Authentication Stack Overflow Exploit. CVE-2000-0284. Remote exploit for linux platform id EDB-ID:253 last seen 2016-01-31 modified 2001-01-19 published 2001-01-19 reporter teleh0r source https://www.exploit-db.com/download/253/ title IMAP4rev1 10.190 - Authentication Stack Overflow Exploit
Metasploit
| description | This module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password. |
| id | MSF:EXPLOIT/LINUX/IMAP/IMAP_UW_LSUB |
| last seen | 2020-03-13 |
| modified | 2017-11-08 |
| published | 2008-07-06 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0284 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/imap/imap_uw_lsub.rb |
| title | UoW IMAP Server LSUB Buffer Overflow |
Nessus
NASL family Gain a shell remotely NASL id UW_IMAP_OVERFLOW_TWO.NASL description There is a buffer overflow in the remote imap server which allows an authenticated user to obtain a remote shell. last seen 2020-06-01 modified 2020-06-02 plugin id 10374 published 2000-04-18 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10374 title UoW imapd (UW-IMAP) Multiple Command Remote Overflows (2) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10374); script_version ("1.28"); script_cve_id("CVE-2000-0284"); script_bugtraq_id(1110); script_name(english:"UoW imapd (UW-IMAP) Multiple Command Remote Overflows (2)"); script_set_attribute(attribute:"synopsis", value: "The remote host has an application that is affected by multiple issues." ); script_set_attribute(attribute:"description", value: "There is a buffer overflow in the remote imap server which allows an authenticated user to obtain a remote shell." ); script_set_attribute(attribute:"solution", value: "Upgrade your imap server or use another one." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'UoW IMAP Server LSUB Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/04/18"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/04/16"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"checks for a buffer overflow in imapd"); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_dependencie("find_service1.nasl", "logins.nasl"); script_require_ports("Services/imap", 143); script_exclude_keys("imap/false_imap"); script_require_keys("imap/login", "imap/password"); exit(0); } acct = get_kb_item("imap/login"); pass = get_kb_item("imap/password"); if((acct == "")||(pass == ""))exit(0); port = get_kb_item("Services/imap"); if(!port)port = 143; if(get_port_state(port)) { soc = open_sock_tcp(port); b = recv_line(socket:soc, length:1024); if(!strlen(b)){ close(soc); exit(0); } s1 = string("1 login ", acct, " ", pass, "\r\n"); send(socket:soc, data:s1); b = recv_line(socket:soc, length:1024); s2 = string("1 list ", raw_string(0x22, 0x22), " ", crap(4096), "\r\n"); send(socket:soc, data:s2); c = recv_line(socket:soc, length:1024); if(strlen(c) == 0)security_hole(port); close(soc); }NASL family Gain a shell remotely NASL id IMAP4_REV1_OVERFLOW.NASL description The remote host appears to be running UoW IMAP Server. The installed version is affected by a buffer overflow vulnerability because the software fails to verify input length of arguments to the last seen 2020-06-01 modified 2020-06-02 plugin id 10625 published 2001-03-01 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10625 title UoW imapd (UW-IMAP) Multiple Command Remote Overflows code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10625); script_version ("1.29"); script_cve_id("CVE-2000-0284"); script_bugtraq_id(1110); script_name(english:"UoW imapd (UW-IMAP) Multiple Command Remote Overflows"); script_set_attribute(attribute:"synopsis", value: "The remote IMAP server is affected by multiple remote buffer overflow vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running UoW IMAP Server. The installed version is affected by a buffer overflow vulnerability because the software fails to verify input length of arguments to the 'LIST', 'COPY', 'RENAME', 'FIND', 'LSUB' commands. An attacker, exploiting this flaw could execute arbitrary commands subject to the privileges of the connected user." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Apr/63" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Apr/74" ); script_set_attribute(attribute:"see_also", value:"https://packetstormsecurity.com/0104-exploits/imap-lsub.pl" ); script_set_attribute(attribute:"see_also", value:"http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=2442" ); script_set_attribute(attribute:"solution", value: "Upgrade to imap-2000 or higher, as this reportedly fixes the issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'UoW IMAP Server LSUB Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2001/03/01"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/04/16"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"checks for a buffer overflow in imapd"); script_category(ACT_MIXED_ATTACK); # mixed script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_dependencie("find_service1.nasl", "logins.nasl"); script_require_ports("Services/imap", 143); script_exclude_keys("imap/false_imap"); exit(0); } # # The script code starts here # port = get_kb_item("Services/imap"); if(!port)port = 143; acct = get_kb_item("imap/login"); pass = get_kb_item("imap/password"); if((!pass) || (safe_checks())) { banner = get_kb_item(string("imap/banner/", port)); if(!banner) { if(get_port_state(port)) { soc = open_sock_tcp(port); if(!soc)exit(0); banner = recv_line(socket:soc, length:4096); close(soc); } } if("IMAP4rev" >< banner) { if(ereg(pattern:".*IMAP4rev.* v12\.([0-1].*|2([0-5].*|6[0-4]))", string:banner)) { alrt = string( "\n", "*** Nessus solely relied on the server banner to \n", "*** issue this warning.\n", "\n" ); security_hole(port:port, extra:alrt); } } exit(0); } if((acct == "")||(pass == ""))exit(0); if(get_port_state(port)) { soc = open_sock_tcp(port); b = recv_line(socket:soc, length:1024); if(!strlen(b)){ close(soc); exit(0); } s1 = string("1 login ", acct, " ", pass, "\r\n"); send(socket:soc, data:s1); b = recv_line(socket:soc, length:1024); s2 = string("1 lsub ", raw_string(0x22, 0x22), " {1064}\r\n"); send(socket:soc, data:s2); c = recv_line(socket:soc, length:1024); s3 = string(crap(1064), "\r\n"); send(socket:soc, data:s3); c = recv_line(socket:soc, length:1024); if(strlen(c) == 0)security_hole(port); close(soc); }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82240/imap_uw_lsub.rb.txt |
| id | PACKETSTORM:82240 |
| last seen | 2016-12-05 |
| published | 2009-10-27 |
| reporter | patrick |
| source | https://packetstormsecurity.com/files/82240/UoW-IMAP-Server-LSUB-Buffer-Overflow.html |
| title | UoW IMAP Server LSUB Buffer Overflow |