Cyrus IMAPD Buffer Overflow Vulnerability

vendor:

Cyrus IMAPD

by:

SecurityFocus

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Cyrus IMAPD

Affected Version From: 1.6.24

Affected Version To: 2.1.16

Patch Exists: YES

Related CWE: CVE-2002-0661

CPE: a:cyrusimap:cyrus_imapd

Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-2_0_x-path-vulnerability-cve-2002-0661/, https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0661/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix and Linux

2002

Cyrus IMAPD Buffer Overflow Vulnerability

Cyrus IMAPD does not sufficiently handle overly long strings. In some cases, when a user connects to the daemon, and upon negotiating the connection sends a login string of excessive length, a buffer overflow occurs. This could result in heap corruption and arbitrary words in memory being overwritten. It may be possible to exploit this issue to execute arbitrary code.

Mitigation:

Upgrade to the latest version of Cyrus IMAPD.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6298/info

Cyrus IMAPD is a freely available, open source Interactive Mail Access Protocol (IMAP) daemon. It is available for Unix and Linux operating systems.

It has been reported that Cyrus IMAPD does not sufficiently handle overly long strings. In some cases, when a user connects to the daemon, and upon negotiating the connection sends a login string of excessive length, a buffer overflow occurs. This could result in heap corruption and arbitrary words in memory being overwritten. It may be possible to exploit this issue to execute arbitrary code.

perl -e 'print "x login {4294967295}\r\n\xf0\xef\xff\xbf\x90\xef\xff\xbf\xfc\xff\xff\xff\xfc\xff\xff\xff";'|nc localhost imap2
<ctrl-c>