Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.WORLDMAIL_OVERFLOW.NASL
HistoryDec 20, 2005 - 12:00 a.m.

Qualcomm WorldMail Multiple IMAP Command Remote Overflow

2005-12-2000:00:00
This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
www.tenable.com
19
JSON

The remote host is running a version of Qualcomm WorldMail’s IMAP service that is prone to a buffer overflow attack triggered when processing a long command with a closing brace.

An attacker can exploit this flaw to execute arbitrary code subject to the privileges of the affected application.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(20336);
  script_version("1.16");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2005-4267");
  script_bugtraq_id(15980);

  script_name(english:"Qualcomm WorldMail Multiple IMAP Command Remote Overflow");
  script_summary(english:"Checks for buffer overflow in Qualcomm WorldMail's IMAP service");
 
  script_set_attribute(attribute:"synopsis", value:
"It is possible to execute code on the remote IMAP server." );
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of Qualcomm WorldMail's IMAP
service that is prone to a buffer overflow attack triggered when
processing a long command with a closing brace. 

An attacker can exploit this flaw to execute arbitrary code subject to
the privileges of the affected application." );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/1037" );
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?955a6b52" );
  script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/20");
  script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/20");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencie("find_service1.nasl", "global_settings.nasl");
  script_exclude_keys("imap/false_imap");
  script_require_ports("Services/imap", 143);

  exit(0);
}

include ("imap_func.inc");

port = get_kb_item("Services/imap");
if (!port) port = 143;
if (!get_port_state(port) || get_kb_item("imap/false_imap")) exit(0);

#* OK  WorldMail 3 IMAP4 Server 6.1.22.0 ready
banner = get_imap_banner(port:port);
if (!banner || "WorldMail" >!< banner) exit(0);

if (egrep (pattern:"\* OK  WorldMail [0-3] IMAP4 Server [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ ready", string:banner))
{
 version = ereg_replace (pattern:".* OK  WorldMail [0-3] IMAP4 Server ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ready", string:banner, replace:"\1");
 version = split (version, sep:'.', keep:FALSE);

 version[0] = int(version[0]);
 version[1] = int(version[1]);
 version[2] = int(version[2]);
 version[3] = int(version[3]);

 if ( (version[0] < 6) ||
      ( (version[0] == 6) && (version[1] < 1) ) ||
      ( (version[0] == 6) && (version[1] == 1) && (version[2] < 22) ) ||
      ( (version[0] == 6) && (version[1] == 1) && (version[2] == 22) && (version[3] == 0) ) )
   security_hole(port);
}

Related

securityvulns 1
openvas 2
packetstorm 2
saint 4
cve 2
checkpoint_advisories 2
canvas 1
prion 1
securityvulns
securityvulns
[Full-disclosure] iDefense Security Advisory 12.20.05: Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability
2005-12-20 00:00:00
openvas
openvas
Eudora WorldMail IMAP Server Buffer Overflow Vulnerability
2012-01-18 00:00:00
Eudora WorldMail IMAP Server Buffer Overflow Vulnerability
2012-01-18 00:00:00
packetstorm
packetstorm
eudora_imap.pm.txt
2006-02-14 00:00:00
Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
2009-11-26 00:00:00
saint
saint
Eudora WorldMail IMAP LIST command buffer overflow
2005-12-30 00:00:00
Eudora WorldMail IMAP LIST command buffer overflow
2005-12-30 00:00:00
Eudora WorldMail IMAP LIST command buffer overflow
2005-12-30 00:00:00
cve
cve
CVE-2005-4267
2005-12-21 11:03:00
CVE-2006-0637
2006-02-10 11:02:00
checkpoint_advisories
checkpoint_advisories
IMAP Servers LIST Command Buffer Overflow (CVE-2005-4267)
2006-08-10 00:00:00
Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (CVE-2005-4267)
2009-11-05 00:00:00
canvas
canvas
Immunity Canvas: WORLDMAIL
2005-12-21 11:03:00
prion
prion
Buffer overflow
2006-02-10 11:02:00
JSON
Related for WORLDMAIL_OVERFLOW.NASL
securityvulns1openvas2packetstorm2saint4cve2checkpoint_advisories2canvas1prion1