7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.923 High
EPSS
Percentile
99.0%
The remote host appears to be running UoW IMAP Server. The installed version is affected by a buffer overflow vulnerability because the software fails to verify input length of arguments to the ‘LIST’, ‘COPY’, ‘RENAME’, ‘FIND’, ‘LSUB’ commands. An attacker, exploiting this flaw could execute arbitrary commands subject to the privileges of the connected user.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(10625);
script_version ("1.29");
script_cve_id("CVE-2000-0284");
script_bugtraq_id(1110);
script_name(english:"UoW imapd (UW-IMAP) Multiple Command Remote Overflows");
script_set_attribute(attribute:"synopsis", value:
"The remote IMAP server is affected by multiple remote buffer overflow
vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The remote host appears to be running UoW IMAP Server. The installed
version is affected by a buffer overflow vulnerability because the
software fails to verify input length of arguments to the 'LIST',
'COPY', 'RENAME', 'FIND', 'LSUB' commands. An attacker, exploiting
this flaw could execute arbitrary commands subject to the privileges
of the connected user." );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Apr/63" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Apr/74" );
script_set_attribute(attribute:"see_also", value:"https://packetstormsecurity.com/0104-exploits/imap-lsub.pl" );
script_set_attribute(attribute:"see_also", value:"http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=2442" );
script_set_attribute(attribute:"solution", value:
"Upgrade to imap-2000 or higher, as this reportedly fixes the issue." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'UoW IMAP Server LSUB Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2001/03/01");
script_set_attribute(attribute:"vuln_publication_date", value: "2000/04/16");
script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"checks for a buffer overflow in imapd");
script_category(ACT_MIXED_ATTACK); # mixed
script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
script_family(english:"Gain a shell remotely");
script_dependencie("find_service1.nasl", "logins.nasl");
script_require_ports("Services/imap", 143);
script_exclude_keys("imap/false_imap");
exit(0);
}
#
# The script code starts here
#
port = get_kb_item("Services/imap");
if(!port)port = 143;
acct = get_kb_item("imap/login");
pass = get_kb_item("imap/password");
if((!pass) ||
(safe_checks()))
{
banner = get_kb_item(string("imap/banner/", port));
if(!banner)
{
if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(!soc)exit(0);
banner = recv_line(socket:soc, length:4096);
close(soc);
}
}
if("IMAP4rev" >< banner)
{
if(ereg(pattern:".*IMAP4rev.* v12\.([0-1].*|2([0-5].*|6[0-4]))",
string:banner))
{
alrt = string(
"\n",
"*** Nessus solely relied on the server banner to \n",
"*** issue this warning.\n",
"\n"
);
security_hole(port:port, extra:alrt);
}
}
exit(0);
}
if((acct == "")||(pass == ""))exit(0);
if(get_port_state(port))
{
soc = open_sock_tcp(port);
b = recv_line(socket:soc, length:1024);
if(!strlen(b)){
close(soc);
exit(0);
}
s1 = string("1 login ", acct, " ", pass, "\r\n");
send(socket:soc, data:s1);
b = recv_line(socket:soc, length:1024);
s2 = string("1 lsub ", raw_string(0x22, 0x22), " {1064}\r\n");
send(socket:soc, data:s2);
c = recv_line(socket:soc, length:1024);
s3 = string(crap(1064), "\r\n");
send(socket:soc, data:s3);
c = recv_line(socket:soc, length:1024);
if(strlen(c) == 0)security_hole(port);
close(soc);
}