Vulnerabilities > CVE-2006-2502 - Remote Buffer Overflow vulnerability in Cyrus Imapd 2.3.2
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow. CVE-2006-2502. Remote exploit for linux platform id EDB-ID:16836 last seen 2016-02-02 modified 2010-04-30 published 2010-04-30 reporter metasploit source https://www.exploit-db.com/download/16836/ title Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow description Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3). CVE-2006-2502. Remote exploit for linux platform id EDB-ID:2185 last seen 2016-01-31 modified 2006-08-14 published 2006-08-14 reporter K-sPecial source https://www.exploit-db.com/download/2185/ title Cyrus IMAPD 2.3.2 pop3d Remote Buffer Overflow Exploit 3 description Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit. CVE-2006-2502. Remote exploit for linux platform id EDB-ID:1813 last seen 2016-01-31 modified 2006-05-21 published 2006-05-21 reporter kingcope source https://www.exploit-db.com/download/1813/ title Cyrus IMAPD 2.3.2 pop3d Remote Buffer Overflow Exploit
Metasploit
| description | This exploit takes advantage of a stack based overflow. Once the stack corruption has occurred it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement |
| id | MSF:EXPLOIT/LINUX/POP3/CYRUS_POP3D_POPSUBFOLDERS |
| last seen | 2020-06-01 |
| modified | 2017-07-24 |
| published | 2009-12-15 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb |
| title | Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/84584/cyrus_pop3d_popsubfolders.rb.txt |
| id | PACKETSTORM:84584 |
| last seen | 2016-12-05 |
| published | 2009-12-31 |
| reporter | bannedit |
| source | https://packetstormsecurity.com/files/84584/Cyrus-IMAPD-pop3d-popsubfolders-USER-Buffer-Overflow.html |
| title | Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow |
Saint
bid 18056 description Cyrus IMAP pop3d popsubfolders buffer overflow id mail_pop_cyruspopsub osvdb 25853 title cyrus_imap_pop3d_subfolders type remote bid 18056 description Cyrus IMAP pop3d popsubfolders buffer overflow id mail_pop_cyruspopsub osvdb 25853 title cyrus_imap_pop3d_subfolders_rh type remote
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-08-30 |
| organization | Red Hat |
| statement | Not vulnerable. This issue does not affect the versions of cyrus-imapd distributed with Red Hat Enterprise Linux. |