Vulnerabilities > CVE-2006-2502 - Remote Buffer Overflow vulnerability in Cyrus Imapd 2.3.2

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
cyrus
exploit available
metasploit

Summary

Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.

Vulnerable Configurations

Part Description Count
Application
Cyrus
1

Exploit-Db

  • descriptionCyrus IMAPD pop3d popsubfolders USER Buffer Overflow. CVE-2006-2502. Remote exploit for linux platform
    idEDB-ID:16836
    last seen2016-02-02
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16836/
    titleCyrus IMAPD pop3d popsubfolders USER Buffer Overflow
  • descriptionCyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3). CVE-2006-2502. Remote exploit for linux platform
    idEDB-ID:2185
    last seen2016-01-31
    modified2006-08-14
    published2006-08-14
    reporterK-sPecial
    sourcehttps://www.exploit-db.com/download/2185/
    titleCyrus IMAPD 2.3.2 pop3d Remote Buffer Overflow Exploit 3
  • descriptionCyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit. CVE-2006-2502. Remote exploit for linux platform
    idEDB-ID:1813
    last seen2016-01-31
    modified2006-05-21
    published2006-05-21
    reporterkingcope
    sourcehttps://www.exploit-db.com/download/1813/
    titleCyrus IMAPD 2.3.2 pop3d Remote Buffer Overflow Exploit

Metasploit

descriptionThis exploit takes advantage of a stack based overflow. Once the stack corruption has occurred it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement
idMSF:EXPLOIT/LINUX/POP3/CYRUS_POP3D_POPSUBFOLDERS
last seen2020-06-01
modified2017-07-24
published2009-12-15
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb
titleCyrus IMAPD pop3d popsubfolders USER Buffer Overflow

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/84584/cyrus_pop3d_popsubfolders.rb.txt
idPACKETSTORM:84584
last seen2016-12-05
published2009-12-31
reporterbannedit
sourcehttps://packetstormsecurity.com/files/84584/Cyrus-IMAPD-pop3d-popsubfolders-USER-Buffer-Overflow.html
titleCyrus IMAPD pop3d popsubfolders USER Buffer Overflow

Saint

  • bid18056
    descriptionCyrus IMAP pop3d popsubfolders buffer overflow
    idmail_pop_cyruspopsub
    osvdb25853
    titlecyrus_imap_pop3d_subfolders
    typeremote
  • bid18056
    descriptionCyrus IMAP pop3d popsubfolders buffer overflow
    idmail_pop_cyruspopsub
    osvdb25853
    titlecyrus_imap_pop3d_subfolders_rh
    typeremote

Statements

contributorMark J Cox
lastmodified2006-08-30
organizationRed Hat
statementNot vulnerable. This issue does not affect the versions of cyrus-imapd distributed with Red Hat Enterprise Linux.