Vulnerabilities > CVE-2005-2661 - Remote Format String vulnerability in Up-Imapproxy 1.2.3/1.2.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in the ParseBannerAndCapability function in main.c for up-imapproxy 1.2.3 and 1.2.4 allows remote IMAP servers to execute arbitrary code via format string specifiers in a banner or capability line.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | Up-IMAPProxy 1.2.3/1.2.4 Multiple Unspecified Remote Format String Vulnerabilities. CVE-2005-2661. Dos exploit for linux platform |
| id | EDB-ID:26340 |
| last seen | 2016-02-03 |
| modified | 2005-10-10 |
| published | 2005-10-10 |
| reporter | Steve Kemp |
| source | https://www.exploit-db.com/download/26340/ |
| title | Up-IMAPProxy 1.2.3/1.2.4 - Multiple Unspecified Remote Format String Vulnerabilities |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200603-04.NASL description The remote host is affected by the vulnerability described in GLSA-200603-04 (IMAP Proxy: Format string vulnerabilities) Steve Kemp discovered two format string errors in IMAP Proxy. Impact : A remote attacker could design a malicious IMAP server and entice someone to connect to it using IMAP Proxy, resulting in the execution of arbitrary code with the rights of the victim user. Workaround : Only connect to trusted IMAP servers using IMAP Proxy. last seen 2020-06-01 modified 2020-06-02 plugin id 21021 published 2006-03-07 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21021 title GLSA-200603-04 : IMAP Proxy: Format string vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200603-04. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(21021); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2005-2661"); script_xref(name:"GLSA", value:"200603-04"); script_name(english:"GLSA-200603-04 : IMAP Proxy: Format string vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200603-04 (IMAP Proxy: Format string vulnerabilities) Steve Kemp discovered two format string errors in IMAP Proxy. Impact : A remote attacker could design a malicious IMAP server and entice someone to connect to it using IMAP Proxy, resulting in the execution of arbitrary code with the rights of the victim user. Workaround : Only connect to trusted IMAP servers using IMAP Proxy." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200603-04" ); script_set_attribute( attribute:"solution", value: "All IMAP Proxy users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/up-imapproxy-1.2.4'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:up-imapproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/07"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-mail/up-imapproxy", unaffected:make_list("ge 1.2.4"), vulnerable:make_list("lt 1.2.4"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "IMAP Proxy"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-852.NASL description Steve Kemp discovered two format string vulnerabilities in up-imapproxy, an IMAP protocol proxy, which may lead remote attackers to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 19960 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19960 title Debian DSA-852-1 : up-imapproxy - format string vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-852. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19960); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-2661"); script_xref(name:"DSA", value:"852"); script_name(english:"Debian DSA-852-1 : up-imapproxy - format string vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Steve Kemp discovered two format string vulnerabilities in up-imapproxy, an IMAP protocol proxy, which may lead remote attackers to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-852" ); script_set_attribute( attribute:"solution", value: "Upgrade the imapproxy package. The old stable distribution (woody) is not affected by these problems. For the stable distribution (sarge) these problems have been fixed in version 1.2.3-1sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:up-imapproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"imapproxy", reference:"1.2.3-1sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://secunia.com/advisories/17100/
- http://secunia.com/advisories/17120
- http://secunia.com/advisories/19113
- http://securityreason.com/securityalert/547
- http://www.debian.org/security/2005/dsa-852
- http://www.gentoo.org/security/en/glsa/glsa-200603-04.xml
- http://www.securityfocus.com/bid/15048
- http://www.vupen.com/english/advisories/2005/2014
- http://www.vupen.com/english/advisories/2005/2015